ACL and QoS Configuration Guide-Book

H3C S7500E Series Ethernet Switches
ACL and QoS

Configuration Guide
Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com
Document Version: 20100722-C-1.01
Product Version: Release 6605 and Later
Copyright 2009-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks
H3C,
, Aolynk,
, H3Care,
, TOP G,
, IRF, NetPilot, Neocean, NeoVTL,
SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners.
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S7500E documentation set includes 12 configuration guides, which describe the software
features for the H3C S7500E Series Ethernet Switches and guide you through the software
configuration procedures. These configuration guides also provide configuration examples to help you
apply software features to different network scenarios.
The ACL and QoS Configuration Guide describes fundamentals and configuration of ACL and QoS. It
describes how to create IPv4 ACL and IPv6 ACL, use QoS polices to control traffic, and configure
common QoS techniques such as traffic policing, traffic shaping, congestion management, and
congestion avoidance.
This preface includes:
z
Audience
Document Organization
Conventions
About the H3C S7500E Documentation Set
Obtaining Documentation
Documentation Feedback
Audience
This documentation is intended for:
z
Network planners
Field technical support and servicing engineers
Network administrators working with the S7500E series
Document Organization
The ACL and QoS Configuration Guide comprises these parts:
ACL Configuration
QoS Overview
QoS Configuration
Approaches
Priority Mapping
Configuration
Traffic Policing, Traffic

Shaping, and Line Rate
Configuration
Congestion Management
Configuration
Congestion Avoidance
Traffic Filtering
Configuration
Priority Marking
Configuration
Traffic Redirecting
Configuration
Aggregation CAR
Configuration
Class-Based Accounting
Configuration
QoS in an EPON System
Appendix A Default
Priority Mapping Tables
Appendix B Introduction
to Packet Precedences
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention
Description
Boldface
Bold text represents commands and keywords that you enter literally as shown.
italic
Italic text represents arguments that you replace with actual values.
[]
Square brackets enclose syntax choices (keywords or arguments) that are

optional.
{ x | y | ... }
Braces enclose a set of required syntax choices separated by vertical bars,

from which you select one.
[ x | y | ... ]
Square brackets enclose a set of optional syntax choices separated by vertical

bars, from which you select one or none.
{ x | y | ... } *
Asterisk marked braces enclose a set of required syntax choices separated by

vertical bars, from which you select at least one.
[ x | y | ... ] *
Asterisk marked square brackets enclose optional syntax choices separated by

vertical bars, from which you may select multiple choices or none.
&<1-n>
The argument or keyword and argument combination before the ampersand (&)
sign can be entered 1 to n times.
A line that starts with a pound (#) sign is comments.
GUI conventions
Convention
Description
<>
Button names are inside angle brackets. For example, click <OK>.
[]
Window names, menu items, data table and field names are inside square
brackets. For example, pop up the [New User] window.
Multi-level menus are separated by forward slashes. For example,

[File/Create/Folder].
Symbols
Convention
Description
Means reader be careful. Improper operation may cause data loss or damage to
equipment.
Means an action or information that needs special attention to ensure
successful configuration or good performance.
Means a complementary description.
About the H3C S7500E Documentation Set

The H3C S7500E documentation set includes:
Category
Product description and

specifications
Documents
Purposes
Marketing brochures
Describe product specifications and benefits.
Technology white papers
Provide an in-depth description of software features

and technologies.
Card datasheets
Describe card specifications, features, and standards.
Installation guide
Provides a complete guide to hardware installation

and hardware specifications.
H3C N68 Cabinet

Installation and Remodel
Introduction
Guides you through installing and remodeling H3C

N68 cabinets.
H3C Pluggable SFP

[SFP+][XFP] Transceiver
Modules Installation
Guide
Guides you through installing SFP/SFP+/XFP

transceiver modules.
H3C Mid-Range Series

Ethernet Switches
Pluggable Modules
Manual
Describes the hot-swappable modules available for

the Mid-Range Series Ethernet Switches, their
external views, and specifications.
H3C PoE DIMM Module

Installation Guide
Describes how to install the DIMM

(LSBM1POEDIMMH) for PoE master and slave power
management.
Single PoE DIMM

Module Installation Guide
Describes how to install the 24-port DIMM

(LSQM1POEDIMMS0) for PoE power management.
Configuration guides
Describe software features and configuration

procedures.
Command references
Provide a quick reference to all available commands.
Configuration examples
Describe typical network scenarios and provide

configuration examples and instructions.
Release notes
Provide information about the product release,

including the version history, hardware and software
compatibility matrix, version upgrade information,
technical support information, and software upgrading.
Hardware installation
Software configuration
Operations and
maintenance
Category
Power configuration
Documents
Purposes
H3C
PSR320-A[PSR320-D]
Power Module User
Manual
Describes the appearance, specifications, LEDs, and

installation and removal of the H3C
PSR320-A/PSR320-D power module.
H3C
PSR650-A[PSR650-D]
Power Module User
Manual

H3C
PSR1400-A[PSR1400-D]
Power Module User
Manual

H3C PSR2800-ACV
Power Module User
Manual

installation and removal of the H3C PSR2800-ACV
power module.
H3C PSR6000-ACV
Power Module User
Manual

installation and removal of the H3C PSR6000-ACV
power module.
H3C PWR-SPA Power

Module Adapter User
Manual
Describes the functions and appearance of the H3C

PWR-SPA power module adapter, and how to use it
with the PSR650 power module.
H3C S7500E Power

Configuration Guide
Guides you to select power modules in various cases.

The S7500E series Ethernet switches support various
card models. Each model is provided with a card
manual that describes:
Optional cards
Card manuals
z
z
z
z
The type, number, and transmission rate of

interfaces
Applicable switches of the card
Required software version
Pluggable modules supported by the card
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
[Technical Support & Documents > Technical Documents] Provides hardware installation, and
software feature configuration and maintenance documentation.
[Products & Solutions] Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] Provides the documentation released with
the software version.
Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Table of Contents
1 ACL Configuration1-1
ACL Overview 1-1
Introduction to ACL1-1
Application of ACLs on the Switch 1-2
ACL Classification 1-2
ACL Numbering and Naming 1-3
Match Order1-3
ACL Rule Numbering Step 1-4
Implementing Time-Based ACL Rules 1-5
IPv4 Fragments Filtering with ACLs 1-5
ACL Configuration Task List 1-5
Configuring an ACL1-6
Creating a Time Range 1-6
Configuring a Basic ACL 1-7
Configuring an Advanced ACL 1-9
Configuring an Ethernet Frame Header ACL 1-12
Copying an ACL 1-14
Displaying and Maintaining ACLs 1-15
ACL Configuration Examples1-15
IPv4 ACL Configuration Example1-15
IPv6 ACL Configuration Example1-17
2 QoS Overview 2-1
Introduction to QoS 2-1
Introduction to QoS Service Models 2-1
Best-Effort Service Model2-1
IntServ Service Model 2-2
DiffServ Service Model 2-2
QoS Techniques Overview 2-2
Positions of the QoS Techniques in a Network2-3
3 QoS Configuration Approaches3-1
QoS Configuration Approach Overview 3-1
Non Policy-Based Configuration 3-1
Policy-Based Configuration 3-1
Configuring a QoS Policy3-1
Defining a Class 3-2
Defining a Traffic Behavior 3-5
Defining a Policy3-5
Applying the QoS Policy3-6
Displaying and Maintaining QoS Policies3-10
4 Priority Mapping Configuration4-1

Priority Mapping Overview 4-1
Introduction to Priority Mapping4-1
Priority Mapping Tables4-1
Priority Trust Mode on a Port 4-2
Priority Mapping Procedure4-2
Priority Mapping Configuration Tasks 4-4
Configuring Priority Mapping4-5
Configuring a Priority Mapping Table 4-5
Configuring the Priority Trust Mode on a Port4-5
Configuring the Port Priority of a Port4-6
Displaying and Maintaining Priority Mapping4-6
Priority Mapping Configuration Examples4-7
Priority Mapping Table and Priority Marking Configuration Example4-7
5 Traffic Policing, Traffic Shaping, and Line Rate Configuration5-1
Traffic Policing, Traffic Shaping, and Line Rate Overview5-1
Traffic Evaluation and Token Buckets5-1
Traffic Policing 5-2
Traffic Shaping 5-3
Line Rate 5-4
Configuring Traffic Policing 5-5
Configuration Procedure5-5
Configuration Example 5-6
Configuring GTS 5-7
Configuring the Line Rate 5-8
Displaying and Maintaining Traffic Policing, GTS, and Line Rate 5-9
6 Congestion Management Configuration 6-1
Congestion Management Overview6-1
Causes, Impacts, and Countermeasures of Congestion6-1
Congestion Management Policies6-2
Congestion Management Configuration Approaches 6-4
Per-Queue Hardware Congestion Management 6-5
Configuring SP Queuing6-5
Configure WRR Queuing6-6
Configuring WFQ Queuing 6-6
Configuring SP+WRR Queues 6-8
Displaying and Maintaining Congestion Management6-9
7 Congestion Avoidance7-1
Congestion Avoidance Overview 7-1
Introduction to WRED Configuration7-2
ii
WRED Configuration Approaches7-2

Introduction to WRED Parameters 7-2
Configuring WRED on an Interface7-2
Displaying and Maintaining WRED 7-3
8 Traffic Filtering Configuration8-1
Traffic Filtering Overview 8-1
Configuring Traffic Filtering8-1
Support of Line Cards for the Traffic Filtering Function 8-2
Traffic Filtering Configuration Example8-3
Traffic Filtering Configuration Example 8-3
9 Priority Marking Configuration9-1
Priority Marking Overview 9-1
Configuring Priority Marking9-1
Support of Line Cards for Priority Marking9-3
Priority Marking Configuration Example9-5
Priority Marking Configuration Example 9-5
QoS-Local-ID Marking Configuration Example 9-6
10 Traffic Redirecting Configuration 10-1
Traffic Redirecting Overview10-1
Configuring Traffic Redirecting 10-1
Support of Line Cards for Traffic Redirecting 10-2
11 Aggregation CAR Configuration 11-1
Aggregation CAR Overview 11-1
Referencing an Aggregation CAR in a Traffic Behavior 11-1
Configuration prerequisites 11-1
Configuration procedure 11-1
Displaying and Maintaining Aggregation CAR11-2
12 Class-Based Accounting Configuration12-1
Class-Based Accounting Overview12-1
Configuring Class-Based Accounting 12-1
Displaying and Maintaining Traffic Accounting 12-2
Class-Based Accounting Configuration Example 12-2
Class-Based Accounting Configuration Example12-2
13 QoS in an EPON System13-4
QoS in an EPON System13-4
QoS Functions for Uplink Traffic 13-4
QoS Functions for Downlink Traffic13-5
Configuring QoS in an EPON System 13-6
QoS Configuration Task List in an EPON System 13-6
Configuring QoS at the OLT side 13-7
Configuring QoS at the ONU Side13-10
Example for UNI Priority Remarking Configuration13-14
iii
14 Appendix A Default Priority Mapping Tables 14-1

15 Appendix B Introduction to Packet Precedences 15-1
IP Precedence and DSCP Values 15-1
802.1p Priority 15-2
EXP Values 15-3
16 Index 16-1
iv
ACL Configuration
This chapter includes these sections:
z
ACL Overview
ACL Configuration Task List
Configuring an ACL
Creating a Time Range
Configuring a Basic ACL
Configuring an Advanced ACL
Configuring an Ethernet Frame Header ACL
Copying an ACL
Displaying and Maintaining ACLs
ACL Configuration Examples
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
The S7500E Series Ethernet Switches are distributed devices supporting Intelligent Resilient
Framework (IRF). Two S7500E series can be connected together to form a distributed IRF device.
If an S7500E series is not in any IRF, it operates as a distributed device; if the S7500E series is in
an IRF, it operates as a distributed IRF device. For introduction of IRF, see IRF Configuration
Guide.
ACL Overview
This section covers these topics:
z
Introduction to ACL
Application of ACLs on the Switch
ACL Classification
ACL Numbering and Naming
Match Order
Implementing Time-Based ACL Rules
IPv4 Fragments Filtering with ACLs
Introduction to ACL
As network scale and network traffic are increasingly growing, network security and bandwidth
allocation become more and more critical to network management. Packet filtering can be used to
1-1
efficiently prevent illegal users from accessing networks and to control network traffic and save
network resources. Access control lists (ACL) are often used to filter packets with configured matching
rules.
ACLs are sets of rules (or sets of permit or deny statements) that decide what packets can pass and
what should be rejected based on matching criteria such as source MAC address, destination MAC
address, source IP address, destination IP address, and port number.
Application of ACLs on the Switch

The switch supports two ACL application modes:
z
Hardware-based application: An ACL is assigned to a piece of hardware. For example, an ACL

can be referenced by QoS for traffic classification. Note that when an ACL is referenced to
implement QoS, the actions defined in the ACL rules, deny or permit, do not take effect; actions to
be taken on packets matching the ACL depend on the traffic behavior definition in QoS. For details
about traffic behavior, see QoS Configuration Approaches in ACL and QoS Configuration Guide.
Software-based application: An ACL is referenced by a piece of upper layer software. For

example, an ACL can be referenced to configure login user control behavior, thus controlling
Telnet, SNMP and Web users. Note that when an ACL is reference by the upper layer software,
actions to be taken on packets matching the ACL depend on those defined by the ACL rules. For
details about login user control, see User Login Control in Fundamentals Configuration Guide.
When an ACL is assigned to a piece of hardware and referenced by a QoS policy for traffic
classification, the switch does not take action according to the traffic behavior definition on a
packet that does not match the ACL.
When an ACL is referenced by a piece of software to control Telnet, SNMP, and Web login users,
the switch denies all packets that do not match the ACL.
ACL Classification
ACLs fall into three categories, as shown in Table 1-1.
Table 1-1 ACL categories
Category
Basic ACLs
ACL number
IP version
Match criteria
IPv4
Source IPv4 address
IPv6
Source IPv6 address
2000 to 2999
Source/destination IPv4 address, protocols

Advanced ACLs
3000 to 3999
IPv4
over IPv4, and other Layer 3 and Layer 4

header fields
1-2
Category
ACL number
IP version
Match criteria
Source/destination IPv6 address, protocols
over IPv6, and other Layer 3 and Layer 4
IPv6
header fields
Ethernet frame
header ACLs
Layer 2 header fields, such as source and

4000 to 4999
IPv4 and IPv6
destination MAC addresses, 802.1p priority,

and link layer protocol type
ACL Numbering and Naming

Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number for identification, and in addition, you can also assign the ACL a name for the ease of
identification. After creating an ACL with a name, you can neither rename it nor delete its name.
For an Ethernet frame header ACL, the ACL number and name must be globally unique. For an IPv4
basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an
IPv6 basic or advanced ACL, among all IPv6 ACLs. You can assign an IPv4 ACL and an IPv6 ACL the
same number and name.
Match Order
The rules in an ACL are sorted in a certain order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or
conflicting rules, the matching result and action to take depend on the rule order.
Two ACL match orders are available:
z
config: Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this approach, check the rules and their order carefully.
auto: Sorts ACL rules in depth-first order, as described in Table 1-2. The depth-first order varies
with ACL categories.
Table 1-2 Sorting ACL rules in depth-first order

ACL category
IPv4 basic ACL
Depth-first rule sorting procedures

1)
A rule configured with a VPN instance takes precedence.
2)
A rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
3)
A rule with a smaller ID takes precedence.
1-3
ACL category
Depth-first rule sorting procedures

1)
A rule configured with a VPN instance takes precedence.
2)
A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IP.
3)
A rule with more 0s in the source IP address wildcard mask takes precedence.
More 0s means a narrower IP address range.
IPv4 advanced ACL

4)
A rule with more 0s in the destination IP address wildcard mask takes

precedence.
5)
A rule with a narrower TCP/UDP service port number range takes precedence.
6)
1)
A rule configured with a longer prefix for the source IP address takes precedence.
A longer prefix means a narrower IP address range.
IPv6 basic ACL

2)
1)
A rule configured with a specific protocol is prior to a rule with the protocol type set
to IP. IP represents any protocol over IPv6.
2)
A rule configured with a longer prefix for the source IPv6 address has a higher
priority.
IPv6 advanced ACL
3)
A rule configured with a longer prefix for the destination IPv6 address takes
precedence.
4)
A rule with a narrower TCP/UDP service port number range takes precedence.
5)
1)
A rule with more 1s in the source MAC address mask takes precedence. More 1s
means a smaller MAC address.
Ethernet frame
header ACL
2)
A rule with more 1s in the destination MAC address mask takes precedence.
3)
A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal
notation. In contrast to a network mask, the 0 bits in a wildcard mask represent do care bits, while the
1 bits represent 'dont care bits'. If the 'do care' bits in an IP address identical to the 'do care' bits in an
IP address criterion, the IP address matches the criterion. All 'dont care' bits are ignored. The 0s and
1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask. With
wildcard masks, you can create more granular match criteria than network masks.
ACL Rule Numbering Step

What is the ACL rule numbering step
If you do not assign an ID for the rule you are creating, the system automatically assigns it a rule ID.
The rule numbering step sets the increment by which the system numbers rules automatically. For
1-4
example, the default ACL rule numbering step is 5. If you do assign IDs to rules you are creating, they
are numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert
between two rules.
By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of
inserting rules in an ACL. This feature is important for a config order ACL, where ACL rules are
matched in ascending order of rule ID.
Automatic rule numbering and re-numbering

The ID automatically assigned to an ACL rule takes the nearest higher multiple of the numbering step
to the current highest rule ID, starting with 0.
For example, if the numbering step is 5 (the default), and there are five ACL rules numbered 0, 5, 9, 10,
and 12, the newly defined rule will be numbered 15. If the ACL does not contain any rule, the first rule
will be numbered 0.
Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five
rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be
renumbered 0, 2, 4, 6 and 8.
Likewise, after you restore the default step, ACL rules are renumbered in the default step. Assume that
there are four ACL rules numbered 0, 2, 4, and 6 in steps of 2. When the default step is restored, the
rules are renumbered 0, 5, 15, and 15.

You can implement ACL rules based on the time of day by applying a time range to them. A time-based
ACL rule takes effect only in any time periods specified by the time range.
Two basic types of time range are available:
z
Periodic time range, which recurs periodically on a day or days of the week.
Absolute time range, which represents only a period of time and does not recur.
You may apply a time range to ACL rules before or after you create it. However, the rules using the
time range can take effect only after you define the time range.
IPv4 Fragments Filtering with ACLs

Traditional packet filtering matched only first fragments of IPv4 packets, and allowed all subsequent
non-first fragments to pass through. This mechanism resulted in security risks, because attackers may
fabricate non-first fragments to attack networks.
A rule defined with the fragment keyword applies to only IP fragments. Note that a rule defined with
the fragment keyword matches non-last IP fragments on an SA or EA Series LPUs while matching
non-first IP fragments on an SC, EB, or SD Series LPUs. For detailed information about types of LPUs,
see the installation manual.
ACL Configuration Task List

IPv4 configuration task list
Complete the following tasks to configure an IPv4 ACL:
1-5
Task
Remarks
Optional
Configuring an IPv4 basic ACL

Configuring an IPv4 advanced ACL
Copying an IPv4 ACL
Optional
IPv6 ACL configuration task list

Complete the following tasks to configure an IPv6 ACL:
Task
Remarks
Optional

Configuring an IPv6 Advanced ACL
Copying an IPv6 ACL
Optional
Configuring an ACL
Follow these steps to create a time range:
To do
Enter system view
Use the command

system-view
Remarks
time-range time-range-name
{ start-time to end-time days
Create a time range
Required
[ from time1 date1 ] [ to time2

date2 ] | from time1 date1 [ to
By default, no time range exists.
time2 date2 ] | to time2 date2 }
You may create time ranges identified with the same name. They are regarded as one time range
whose active period is the result of ORing periodic ones, ORing absolute ones, and ANDing periodic
and absolute ones.
You may create a maximum of 256 uniquely named time ranges, each with 32 periodic time ranges at
most and 12 absolute time ranges at most.
1-6
Configuring a Basic ACL

IPv4 basic ACLs match packets based on only source IP address.
Follow these steps to configure an IPv4 basic ACL:
To do
Enter system view
Use the command

system-view
Remarks
Required
By default, no ACL exists.
Create an IPv4 basic ACL and

enter its view
acl number acl-number [ name

acl-name ] [ match-order { auto |
IPv4 basic ACLs are numbered in

the range 2000 to 2999.
You can use the acl name
config } ]
acl-name command to enter the

view of an existing named IPv4
ACL.
Optional
Configure a description for the
IPv4 basic ACL
description text
By default, an IPv4 basic ACL has

no ACL description.
Optional
Set the rule numbering step
step step-value
5 by default.
Required
By default, an IPv4 basic ACL
Create or edit a rule
rule [ rule-id ] { deny | permit }
does not contain any rule.
[ fragment | logging | source
To create or edit multiple rules,
{ sour-addr sour-wildcard | any } |
repeat this step.
time-range time-range-name |
vpn-instance
vpn-instance-name ]*
Note that the logging and

vpn-instance keywords are not
supported if the ACL is to be
referenced by a QoS policy for
traffic classification.
Optional
Configure or edit a rule description
rule rule-id comment text
By default, an IPv4 ACL rule has

no rule description.
Note that:
z
You can only modify the existing rules of an ACL that uses the match order of config. When
modifying a rule of such an ACL, you may choose to change just some of the settings, in which
case the other settings remain the same.
1-7
You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an
existing rule in the ACL.
When the ACL match order is auto, a newly created rule will be inserted among the existing rules
in the depth-first match order. Note that the IDs of the rules still remain the same.
You can modify the match order of an ACL with the acl number acl-number [ name acl-name ]
match-order { auto | config } command but only when it does not contain any rules.

Follow these steps to configure an IPv6 basic ACL:
To do
Enter system view
Use the command

system-view
Remarks
Required
Create an IPv6 basic ACL view

and enter its view
acl ipv6 number acl6-number

[ name acl6-name ] [ match-order
{ auto | config } ]
IPv6 basic ACLs are numbered in

the range 2000 to 2999.
You can use the acl ipv6 name
acl6-name command to enter the
ACL.
Optional

IPv6 basic ACL
description text
By default, an IPv6 basic ACL has

no ACL description.
Optional
step step-value
5 by default
Required
By default, an IPv6 basic ACL
[ fragment | logging | source
{ ipv6-address prefix-length |

repeat this step.
ipv6-address/prefix-length | any } |
Note that the logging and
time-range time-range-name ]*
fragment keywords are not

1-8
To do
Use the command
Remarks
Optional
By default, an IPv6 basic ACL rule

has no rule description.
Note that:
z
You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name
acl6-name ] match-order { auto | config } command but only when it does not contain any rules.
Configuring an Advanced ACL

Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source and destination IP addresses, protocols over IP,
and other protocol header information, such as TCP/UDP source and destination port numbers, TCP
flags, ICMP message types, and ICMP message codes.
IPv4 advanced ACLs also allow you to filter packets based on three priority criteria: type of service
(ToS), IP precedence, and differentiated services codepoint (DSCP) priority.
Compared with IPv4 basic ACLs, IPv4 advanced ACLs allow of more flexible and accurate filtering.
Follow these steps to configure an IPv4 advanced ACL:
To do
Enter system view
Use the command

system-view
1-9
Remarks
To do
Use the command
Remarks
Required
IPv4 advanced ACLs are
Create an IPv4 advanced ACL and

enter its view
numbered in the range 3000 to
3999.
config } ]

ACL.
Optional

IPv4 advanced ACL
description text
By default, an IPv4 advanced ACL

has no ACL description.
Optional
step step-value
5 by default.
protocol [ { established | { ack
Required
ack-value | fin fin-value | psh
By default, an IPv4 advanced ACL
psh-value | rst rst-value | syn
syn-value | urg urg-value } * } |
destination { dest-addr
repeat this step.
dest-wildcard | any } |
Note that if the ACL is to be
destination-port operator port1
[ port2 ] | dscp dscp | fragment |
traffic classification, the logging ,
icmp-type { icmp-type icmp-code |
reflective and vpn-instance
icmp-message } | logging |
keywords are not supported and
precedence precedence |
the operator argument cannot be:
reflective | source { sour-addr

sour-wildcard | any } | source-port
inbound traffic,
operator port1 [ port2 ] |

time-range time-range-name | tos
tos | vpn-instance
vpn-instance-name ] *
neq, if the policy is for the
gt, lt, neq or range, if the

policy is for the outbound
traffic.
Optional

Note that:
1-10
Configuring an IPv6 Advanced ACL

IPv6 advanced ACLs match packets based on the source IPv6 address, destination IPv6 address,
protocol carried over IPv6, and other protocol header fields such as the TCP/UDP source port number,
TCP/UDP destination port number, ICMP message type, and ICMP message code.
Compared with IPv6 basic ACLs, they allow of more flexible and accurate filtering.
Follow these steps to configure an IPv6 advanced ACL:
To do
Enter system view
Use the command
Remarks
system-view
Required
IPv6 advanced ACLs are
Create an IPv6 advanced ACL
and enter its view
acl ipv6 number acl6-number [ name
acl6-name ] [ match-order { auto |
3999.
config } ]
You can use the acl ipv6 name

acl6-name command to enter
the view of an existing named
IPv6 ACL.
Optional

IPv6 advanced ACL
description text
By default, an IPv6 advanced

ACL has no ACL description.
Optional
step step-value
5 by default.
1-11
To do
Use the command
Remarks
Required
rule [ rule-id ] { deny | permit } protocol
By default IPv6 advanced ACL
[ { established | { ack ack-value | fin
fin-value | psh psh-value | rst rst-value |
syn syn-value | urg urg-value } * } |
repeat this step.
destination { dest dest-prefix |
Note that if the ACL is to be
dest/dest-prefix | any } |
destination-port operator port1 [ port2 ]
traffic classification, the logging
| dscp dscp | fragment | icmpv6-type
and fragment keywords are not
{ icmpv6-type icmpv6-code |
supported and the operator
icmpv6-message } | logging | source
argument cannot be:
{ source source-prefix |
source/source-prefix | any } |
inbound traffic,
source-port operator port1 [ port2 ] |

time-range time-range-name ] *
neq, if the policy is for the
gt, lt, neq or range, if the

policy is for the outbound
traffic.
Optional
Configure or edit a rule
description

Note that:
z
You can modify the match order of an IPv6 ACL with the acl ipv6 number acl6-number [ name
acl6-name ] match-order { auto | config } command but only when it does not contain any rules.

Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol
header fields such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
1-12
Follow these steps to configure an Ethernet frame header ACL:

To do
Enter system view
Use the command

system-view
Remarks
Required
Ethernet frame header ACLs are
Create an Ethernet frame header

ACL and enter its view
4999..
config } ]

view of an existing named
Ethernet frame header ACL.
Optional

Ethernet frame header ACL
description text
By default, an Ethernet frame

header ACL has no ACL
description.
Optional
step step-value
5 by default.
Required
[ cos vlan-pri | dest-mac
header ACL does not contain any
dest-addr dest-mask | lsap
rule.
lsap-code lsap-wildcard |
source-mac sour-addr
repeat this step.
source-mask | time-range
time-range-name | type type-code
type-wildcard ]*
Note that the lsap keyword is not

Optional

header ACL rule has no rule
description.
Note that:
z
1-13
Copying an ACL
You can create an ACL by copying an existing ACL. The new ACL has the same properties and content
as the source ACL except the ACL number and name.
To copy an IPv4 or IPv6 ACL successfully, ensure that:
z
The destination ACL number is from the same category as the source ACL number.
The source IPv4 or IPv6 ACL already exits but the destination IPv4 or IPv6 ACL does not.
Copying an IPv4 ACL

Follow these steps to copy an IPv4 ACL:
To do
Enter system view
Use the command

system-view
Remarks
acl copy { source-acl-number |

Copy an existing IPv4 ACL to
name source-acl-name } to
create a new IPv4 ACL
{ dest-acl-number | name
Required
dest-acl-name }
Copying an IPv6 ACL

Follow these steps to copy an IPv6 ACL:
To do
Enter system view
Use the command

system-view
Remarks
acl ipv6 copy

Copy an existing IPv6 ACL to
{ source-acl6-number | name
generate a new one of the same
source-acl6-name } to
category
{ dest-acl6-number | name
dest-acl6-name }
The generated ACL does not take the name of the source ACL.
1-14
Required
Displaying and Maintaining ACLs

To do...
Display configuration and match
statistics for one or all IPv4 ACLs
(distributed device)
Use the command
display acl { acl-number | all | name

acl-name } [ slot slot-number ]
display acl { acl-number | all | name
acl-name } [ chassis chassis-number slot
(distributed IRF device)
slot-number ]

(distributed device)
display acl ipv6 { acl6-number | all |

name acl6-name } [ slot slot-number ]
display acl ipv6 { acl6-number | all |
name acl6-name } [ chassis
(distributed IRF device)
chassis-number slot slot-number ]
Display the usage of ACL

resources (distributed device)
display acl resource [ slot slot-number ]
Display the usage of ACL
display acl resource [ chassis
resources (distributed IRF device)
Display the configuration and
display time-range { time-range-name |
status of one or all time ranges
all }
Clear statistics on one or all IPv4
reset acl counter { acl-number | all |
ACLs
name acl-name }
Clear statistics on one or all IPv6
reset acl ipv6 counter { acl6-number | all
basic and advanced ACLs
| name acl6-name }
Remarks
Available in any view
Available in user view
ACL Configuration Examples

IPv4 ACL Configuration Example
Network Requirements
As shown in Figure 1-1, a company interconnects its departments through the switch.
Configure an ACL to deny access of all departments but the Presidents office to the salary query
server during office hours (from 8:00 to 18:00) in working days.
1-15
Network Diagram
Figure 1-1 Network diagram for IPv4 ACL configuration
Presidents Office
192.168.1.0/24
Salary server
192.168.4.1
GE2/0/1
GE2/0/4
GE2/0/2
GE2/0/3
Switch
R&D department
192.168.2.0/24
Marketing department
192.168.3.0/24
Configuration Procedure
Create a time range for office hours
# Create a periodic time range spanning 8:00 to 18:00 in working days.
<Switch> system-view
[Switch] time-range trname 8:00 to 18:00 working-day
Define an ACL to control access to the salary query server

# Configure a rule to control access of the R&D Department to the salary query server.
[Switch] acl number 3000
[Switch-acl-adv-3000] rule deny ip source 192.168.2.0 0.0.0.255 destination 192.168.4.1
0.0.0.0 time-range trname
[Switch-acl-adv-3000] quit
# Configure a rule to control access of the Marketing Department to the salary query server.
[Switch] acl number 3001
[Switch-acl-adv-3001] rule deny ip source 192.168.3.0 0.0.0.255 destination 192.168.4.1
0.0.0.0 time-range trname
[Switch-acl-adv-3001] quit
Apply the IPv4 ACL

# Configure class c_rd for packets matching IPv4 ACL 3000.
[Switch] traffic classifier c_rd
[Switch-classifier-c_rd] if-match acl 3000
[Switch-classifier-c_rd] quit
# Configure traffic behavior b_rd to deny matching packets.

[Switch] traffic behavior b_rd
[Switch-behavior-b_rd] filter deny
[Switch-behavior-b_rd] quit
# Configure class c_market for packets matching IPv4 ACL 3001.

[Switch] traffic classifier c_market
[Switch-classifier-c_market] if-match acl 3001
[Switch-classifier-c_market] quit
1-16
# Configure traffic behavior b_ market to deny matching packets.

[Switch] traffic behavior b_market
[Switch-behavior-b_market] filter deny
[Switch-behavior-b_market] quit
# Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd.
[Switch] qos policy p_rd
[Switch-qospolicy-p_rd] classifier c_rd behavior b_rd
[Switch-qospolicy-p_rd] quit
# Configure QoS policy p_market to use traffic behavior b_market for class c_market.
[Switch] qos policy p_market
[Switch-qospolicy-p_market] classifier c_market behavior b_market
[Switch-qospolicy-p_market] quit
# Apply QoS policy p_rd to interface GigabitEthernet 2/0/2.

[Switch] interface GigabitEthernet 2/0/2
[Switch-GigabitEthernet2/0/2] qos apply policy p_rd inbound
[Switch-GigabitEthernet2/0/2] quit
# Apply QoS policy p_market to interface GigabitEthernet 2/0/3.

[Switch-GigabitEthernet2/0/3] qos apply policy p_market inbound

Network Requirements
As shown in Figure 1-2, a company interconnects its departments through the switch.
Configure an ACL to deny access of the R&D department to external networks.
Network Diagram
Figure 1-2 Network diagram for IPv6 ACL configuration
# Create an IPv6 ACL 2000.
<Switch> system-view
[Switch] acl ipv6 number 2000
[Switch-acl6-basic-2000] rule deny source 4050::9000/120
[Switch-acl6-basic-2000] quit
# Configure class c_rd for packets matching IPv6 ACL 2000.

[Switch] traffic classifier c_rd
[Switch-classifier-c_rd] if-match acl ipv6 2000
[Switch-classifier-c_rd] quit
# Configure traffic behavior b_rd to deny matching packets.
1-17
[Switch] traffic behavior b_rd

[Switch-behavior-b_rd] filter deny
[Switch-behavior-b_rd] quit
# Configure QoS policy p_rd to use traffic behavior b_rd for class c_rd.
[Switch] qos policy p_rd
[Switch-qospolicy-p_rd] classifier c_rd behavior b_rd
[Switch-qospolicy-p_rd] quit
# Apply QoS policy p_rd to interface GigabitEthernet 2/0/1.

[Switch-GigabitEthernet2/0/1] qos apply policy p_rd inbound
1-18
QoS Overview
The S7500E Series Ethernet Switches are distributed devices supporting Intelligent Resilient
Framework (IRF). Two S7500E series can be connected together to form a distributed IRF device. If
an S7500E series is not in any IRF, it operates as a distributed device; if the S7500E series is in an
IRF, it operates as a distributed IRF device. For introduction of IRF, see IRF Configuration Guide.
This chapter covers the following topics:

z
Introduction to QoS
Introduction to QoS Service Models
QoS Techniques Overview
Introduction to QoS
In data communications, Quality of Service (QoS) is the ability of a network to provide differentiated
service guarantees for diversified traffic regarding bandwidth, delay, jitter, and drop rate.
The network resources are always scarce. Wherever there is contention for resources, there is the
demand for QoS to prioritize important traffic flows over trivial traffic flows. When making a QoS
scheme, a network administrator must plan network resources carefully considering the characteristics
of various applications to balance the interests of diversified users and fully utilize network resources.
The following part introduces the QoS service models, and some mature QoS techniques in wide use.
Appropriately using these techniques in specific environments, you can improve QoS effectively.
Introduction to QoS Service Models

This section covers three typical QoS service models:
z
Best-effort service
Integrated service (IntServ)
Differentiated service (DiffServ)
Best-Effort Service Model

Best effort is a single service model and also the simplest service model. In the best effort service
model, the network delivers the packets at its best effort but does not guarantee delay or reliability.
The best-effort service model is the default model in the Internet and is applicable to most network
applications. It is implemented through FIFO queuing.
2-1
IntServ Service Model

IntServ is a multiple services model that can accommodate multiple QoS requirements. In this model,
an application must request a specific kind of service from the network before it can send data. The
request is made by RSVP signaling. RSVP runs on each device from the source end to the destination
end, and monitors each data flow to prevent each data flow from consuming too many resources. The
Inter-Serv model can definitely identify and guarantee QoS for each data flow, and provides the most
granularly differentiated QoS.
However, the Inter-Serv model imposes extremely high requirements on devices. In a network with
heavy data traffic, the Inter-Serv model imposes very great pressure on the storage and processing
capabilities of devices. On the other hand, the Inter-Serv model is poor in scalability, and therefore, it is
hard to be deployed in the core Internet network.
For more information about RSVP, see MPLS TE Configuration in the MPLS Configuration Guide.
DiffServ Service Model

DiffServ is a multiple services model that can satisfy diverse QoS requirements. Unlike IntServ,
DiffServ does not require an application to signal the network to reserve resources before sending data.
DiffServ is easy to implement and extend.
All QoS techniques mentioned in this document are based on the Diff-Serv model.
QoS Techniques Overview

The QoS techniques include traffic classification, traffic policing, traffic shaping, line rate, congestion
management, and congestion avoidance. The following part briefly introduces these QoS techniques.
2-2
Positions of the QoS Techniques in a Network

Figure 2-1 Positions of the QoS techniques in a network
As shown in Figure 2-1, traffic classification, traffic shaping, traffic policing, congestion management,
and congestion avoidance mainly implement the following functions:
z
Traffic classification uses certain match criteria to assign packets with the same characteristics to
a class. Based on classes, differentiated services can be provided. Traffic classification uses
certain match criteria to organize packets with different characteristics into different classes.
Traffic classification is the basis for providing differentiated services.
Traffic policing polices flows entering or leaving a device and can be applied in both inbound and
outbound directions of a port. When a flow exceeds the pre-set threshold, some restriction or
punishment measures can be taken to prevent overconsumption of network resources.
Traffic shaping proactively adapts the output rate of traffic to the network resources available on
the downstream device to eliminate packet drop and delay. Traffic shaping is usually applied in
the outbound direction of a port.
Congestion management provides a resource scheduling policy to arrange the forwarding

sequence of packets when congestion occurs. Congestion management is usually applied to the
outgoing traffic of a port.
Congestion avoidance monitors the usage status of network resources and is usually applied to
the outgoing traffic of a port. As congestion becomes worse, it actively reduces the amount of
traffic by dropping packets.
2-3
QoS Configuration Approaches

This chapter covers the following topics:
z
QoS Configuration Approach Overview
Configuring a QoS Policy
QoS Configuration Approach Overview

Two approaches are available for you to configure QoS: policy-based and non policy-based.
Some QoS features can be configured in either approach while some can be configured only in one
approach.
Non Policy-Based Configuration

In the non policy-based approach, you configure QoS service parameters without using a QoS policy.
For example, to rate limit an interface, you can use the line rate feature to directly configure a rate limit
on the interface rather than using a QoS policy.
Policy-Based Configuration
In the policy-based approach, QoS service parameters are configured through configuring QoS
policies. A QoS policy defines what QoS actions to take on what class of traffic for purposes such as
traffic shaping or traffic policing.
Before configuring a QoS policy, be familiar with these concepts: class, traffic behavior, and policy.
Class
Classes are used to identify traffic.
A class is identified by a class name and contains match criteria for traffic identification. The
relationship between the criteria is AND or OR.
z
AND: A packet is considered as belonging to a class only when the packet matches all the criteria
in the class.
OR: A packet is considered as belonging to a class if it matches any of the criteria in the class.
Traffic behavior
A traffic behavior defines a set of QoS actions to take on packets, such as priority marking and traffic
redirecting.
Policy
A policy associates a class with a traffic behavior to define what actions to take on which class of
traffic.
You can configure multiple class-behavior associations in a policy.
Configuring a QoS Policy

Figure 3-1 shows how to configure a QoS policy.
3-1
Figure 3-1 QoS policy configuration procedure
Defining a Class
To define a class, you need to specify a name for it and then configure match criteria in class view.
Follow these steps to define a class:
To do
Use the command
Enter system view
system-view
Create a class and enter class
traffic classifier tcl-name
view
[ operator { and | or } ]
Remarks
Required
By default, the relationship
between match criteria is AND.
Configure match criteria
if-match match-criteria
Required
match-criteria: Match criterion. Table 3-1 shows the available criteria.

Table 3-1 The keyword and argument combinations for the match-criteria argument
Keyword and argument combination
Description
Specifies to match an IPv4 ACL specified by its
number or name. The access-list-number argument
acl { access-list-number | name acl-name }
specifies an ACL by its number, which ranges from

2000 to 4999; the name acl-name keyword-argument
combination specifies an ACL by its name.
3-2
Description
Specifies to match an IPv6 ACL specified by its
number or name. The access-list-number argument
acl ipv6 { access-list-number | name acl-name }
specifies an ACL by its number, which ranges from

2000 to 3999; the name acl-name keyword-argument
combination specifies an ACL by its name.
Matches all packets (IPv6 packets are ignored on the
any
SC cards).
Matches the 802.1p priority of the customer network.
The 8021p-list argument is a list of up to eight 802.1p
customer-dot1p 8021p-list
priority values. An 802.1p priority is in the range 0 to

7.
Specifies to match the packets of specified VLANs of
user networks. The vlan-id-list argument specifies a
list of VLAN IDs, in the form of vlan-id to vlan-id or
multiple discontinuous VLAN IDs (separated by
customer-vlan-id vlan-id-list
space). You can specify up to eight VLAN IDs for this

argument at a time. VLAN ID is in the range 1 to
4094.
Matches a destination MAC address
destination-mac mac-address
Matches DSCP values. The dscp-list is a list of up to

eight DSCP values. A DSCP value is a number in the
range of 0 to 63 or a word representing the specific
dscp dscp-list
value. For the number-to-word mapping, see Table

15-2.
Matches IP precedence. The ip-precedence-list is a
list of up to eight IP precedence values. An IP
ip-precedence ip-precedence-list
precedence is in the range of 0 to 7.

Matches a protocol. The protocol-name can be IP or
protocol protocol-name
IPv6.
Matches a local QoS ID, which is in the range of 1 to
4095. The local QoS IDs supported on the S7500E
qos-local-id local-id-value
series switches are from 1 to 3999.

Matches the 802.1p priority of the service provider
network. The 8021p-list argument is a list of up to
service-dot1p 8021p-list
eight 802.1p priority values. An 802.1p priority is in

the range 0 to 7.
3-3
Description
Specifies to match the packets of the VLANs of the
operators network. The vlan-id-list argument is a list
of VLAN IDs, in the form of vlan-id to vlan-id or
multiple discontinuous VLAN IDs (separated by
service-vlan-id vlan-id-list
space). You can specify up to eight VLAN IDs for this

argument at a time. VLAN ID is in the range of 1 to
4094.
Matches a source MAC address
source-mac mac-address
Matches a pre-defined match criterion (system-index)

for packets sent to the control plane. The
index-value-list argument specifies a list of up to eight
system-index index-value-list
system indexes. The system index range is from 1 to

128.
Suppose the logical relationship between classification rules is and. Note the following when using the
if-match command to define matching rules.
z
If multiple matching rules with the acl or acl ipv6 keyword specified are defined in a class, the
actual logical relationship between these rules is or when the policy is applied.
If multiple matching rules with the customer-vlan-id or service-vlan-id keyword specified are
defined in a class, the actual logical relationship between these rules is or.
3-4
The matching criteria listed below must be unique in a traffic class with the operator being AND.
Therefore, even though you can define multiple if-match clauses for these matching criteria or input
multiple values for a list argument (such as the 8021p-list argument) listed below in a traffic class,
avoid doing that. Otherwise, the QoS policy referencing the class cannot be applied to interfaces
successfully.
z
customer-dot1p 8021p-list
destination-mac mac-address
dscp dscp-list
ip-precedence ip-precedence-list
service-dot1p 8021p-list
source-mac mac-address
system-index index-value-list
To create multiple if-match clauses or specify multiple values for a list argument for any of the
matching criteria listed above, ensure that the operator of the class is OR.
Defining a Traffic Behavior

A traffic behavior is a set of QoS actions to take on a traffic class for purposes such as traffic filtering,
shaping, policing, priority marking. To define a traffic behavior, you must first create it and then
configure QoS actions such as priority marking and redirect in traffic behavior view.
Follow these steps to define a traffic behavior:
To do
Enter system view
Create a traffic behavior and enter
traffic behavior view
Configure other actions in the

traffic behavior
Use the command
Remarks
system-view
traffic behavior behavior-name
Required
See the subsequent sections depending on the purpose of the traffic

behavior: traffic policing, traffic filtering, traffic redirecting, priority
marking, traffic accounting and so on.
Defining a Policy
In a policy, you can define multiple class-behavior associations. A behavior is performed for the
associated class of packets. In this way, various QoS features can be implemented.
Follow these steps to associate a class with a behavior in a policy:
To do
Enter system view
Use the command

system-view
3-5
Remarks
To do
Create a policy and enter policy
view
Use the command
qos policy policy-name
Remarks
Required
Required
Associate a class with a behavior
in the policy
classifier tcl-name behavior
Specify the
behavior-name [ mode
dot1q-tag-manipulation keyword
dot1q-tag-manipulation ]
if the class-behavior association is

defined for VLAN mapping.
If an ACL is referenced by a QoS policy for defining traffic match criteria, packets matching the
ACL are organized as a class and the behavior defined in the QoS policy applies to the class
regardless of whether the match mode of the if-match clause is deny or permit.
In a QoS policy with multiple class-to-traffic-behavior associations, if the action of creating an

outer VLAN tag, the action of setting customer network VLAN ID, or the action of setting service
provider network VLAN ID is configured in a traffic behavior, we recommend you not to configure
any other action in this traffic behavior. Otherwise, the QoS policy may not function as expected
after it is applied.
The do1q-tag-manipulation keyword is applicable to only many-to-one VLAN mapping

configuration. For information about many-to-one VLAN mapping, see VLAN Mapping
Configuration in the Layer 2 - LAN Switching Configuration Guide.
Applying the QoS Policy

You can apply a QoS policy to different occasions:
z
Applied to an interface, the policy takes effect on the traffic sent or received on the interface.
Applied to a user profile, the policy takes effect on the traffic sent or received by the online users
of the user profile.
Applied to a VLAN, the policy takes effect on the traffic sent or received on all ports in the VLAN.
Applied globally, the policy takes effect on the traffic sent or received on all ports.
Applied to the control plane, the policy takes effect on the traffic sent or received on the control
plane.
3-6
You can modify classes, behaviors, and class-behavior associations in a QoS policy even after it
is applied.
The QoS policies applied to ports, VLANs, and the system globally have descending priorities. For
example, if a port and a VLAN carried on the port have both referenced a QoS policy for incoming
traffic, the one on the port is used to match traffic prior to the one for the VLAN.
Applying the QoS policy to an interface

A policy can be applied to multiple interfaces, but in one direction (inbound or outbound) of an interface
only one policy can be applied.
Follow these steps to apply the QoS policy to an interface:
To do
Enter system view
Enter
Enter
interface
interface
view
Use the command
system-view
interface interface-type
Enter port
group view
Use either command

Settings in interface view take
interface-number
effect on the current interface;
view or port
group view
Remarks
settings in port group view take

port-group manual port-group-name
Apply the policy to the
qos apply policy policy-name
interface/port group
{ inbound | outbound }
effect on all ports in the port group.
Required
The QoS policy applied to the outgoing traffic of a port does not regulate local packets, which are
critical protocol packets sent by the card that hosts the interface for maintaining the normal operation
of the device. The most common local packets include link maintenance packets, STP, LDP, and
RSVP packets.
Applying the QoS policy to online users

You can apply a QoS policy to multiple online users, but in one direction of each online user only one
policy can be applied. To modify a QoS policy already applied in a certain direction, remove the QoS
policy application first.
Follow these steps to apply the QoS policy to online users:
To do
Enter system view
Use the command
Remarks
system-view
3-7
To do
Use the command
Remarks
Required
The configuration made in user
profile view takes effect when the
user-profile is activated and there
Enter user profile view
are online users.
user-profile profile-name
See User Profile Configuration in

the Security Configuration Guide
for more information about user
profiles.
Required
Use the inbound keyword to
Apply the QoS policy
apply the QoS policy to the traffic
received by the online users. Use
{ inbound | outbound }
the outbound keyword to apply

the QoS policy to the traffic sent
by the online users.
Return to system view
quit
Activate the user profile
user-profile profile-name enable
Required
Inactive by default
If a user profile is active, the QoS policy, except ACLs referenced in the QoS policy, applied to it
cannot be configured or removed. If the user profile is being used by online users, the referenced
ACLs cannot be modified either.
The QoS policies applied in user profile view support only the remark, car, and filter actions.
Do not apply an empty policy in user profile view because a user profile with an empty policy
applied cannot be activated.
Applying the QoS policy to a VLAN

You can apply a QoS policy to a VLAN to regulate traffic of the VLAN.
Follow these steps to apply the QoS policy to a VLAN:
To do
Enter system view
Apply the QoS policy to VLANs
Use the command

system-view
qos vlan-policy policy-name vlan
vlan-id-list { inbound | outbound }
3-8
Remarks
Required
QoS policies cannot be applied to dynamic VLANs, for example, VLANs created by GVRP.
Applying the QoS policy globally

You can apply a QoS policy globally to the inbound or outbound direction of all ports.
Follow these steps to apply the QoS policy globally:
To do
Use the command
Enter system view
system-view
Apply the QoS policy globally
global { inbound | outbound }
Remarks
Required
A QoS policy containing any of the nest, remark customer-vlan-id, and remark service-vlan-id
Actions cannot be applied globally.
Applying the QoS policy to the control plane

Packet processing units fit into the data plane and the control plane depending on their functions.
z
At the data plane are units responsible for receiving, transmitting, and switching (that is,
forwarding) packets, such as various dedicated forwarding chips. They deliver super processing
speeds and throughput.
At the control plane are processing units running most routing and switching protocols and
responsible for protocol packet resolution and calculation, such as CPUs. Compared with data
plane units, they allow for great packet processing flexibility but have lower throughput.
When the data plane receives packets that it cannot recognize or process, it transmits them to the
control plane. If the transmission rate exceeds the processing capability of the control plane, which
very likely occurs at times of DoS attacks, the control plane will be busy handling undesired packets
and fail to handle legitimate packets correctly or timely. As a result, protocol performance is affected.
To address this problem, you can apply a QoS policy to the control plane to take QoS actions such as
traffic filtering or rate limiting on inbound traffic, thus ensuring that the control plane can receive,
transmit, and process packets normally.
Follow these steps to apply the QoS policy to the control plane:
To do
Enter system view
Enter control plane view (on a
distributed device)
Use the command
Remarks
system-view
control-plane slot slot-number
Required
3-9
To do
Use the command
Remarks
Enter control plane view (on a
control-plane chassis chassis-number slot
distributed IRF device)
slot-number
Apply the QoS policy to the
qos apply policy policy-name { inbound |
control plane
outbound }
Required
Required
The QoS policy applied to the control plane for a specific slot takes effect only on the slot.
In case a global QoS policy conflicts with a control plane QoS policy, the control plane QoS policy
takes effect on the control plane.
By default, devices are configured with pre-defined control plane policies, which take effect on the
control planes by default. A pre-defined control plane QoS policy uses the system-index to identify
the type of packets sent to the control plane. You can reference system-indexes in if-match
commands in class view for traffic classification and then re-configure traffic behaviors for these
classes as required. You can use the display qos policy control-plane pre-defined command
to display them.
In a QoS policy for control planes, if a system index classifier is configured, the associated traffic
behavior can contain only the CAR or accounting action. In addition, if the CAR action is
configured, only its CIR setting can be applied.
Displaying and Maintaining QoS Policies

To do
Display traffic class information
Use the command

display traffic classifier
user-defined [ tcl-name ]
Display traffic behavior
display traffic behavior
configuration information
user-defined [ behavior-name ]
Display user-defined QoS policy

Display QoS policy configuration

on the specified or all interfaces
Display VLAN QoS policy

configuration on a distributed
device
Remarks
display qos policy user-defined

[ policy-name [ classifier
tcl-name ] ]
display qos policy interface
[ interface-type interface-number ]
[ inbound | outbound ]
display qos vlan-policy { name
policy-name | vlan vlan-id } [ slot
slot-number ] [ inbound |
outbound ]
3-10
To do
Use the command
Remarks
display qos vlan-policy { name

Display VLAN QoS policy
policy-name | vlan [ vlan-id ] }
configuration on a distributed IRF
[ chassis chassis-number slot
device
outbound ]
Display information about QoS
display qos policy global [ slot
policies applied globally on a
distributed device
outbound ]
Display information about QoS

policies applied globally on a
distributed IRF device
Display information about control

plane QoS policies on a distributed
device
Display information about control

plane QoS policies on a distributed
IRF device
display qos policy global

display qos policy

control-plane [ slot
display qos policy control-plane

control-plane pre-defined
policies on a distributed device
[ slot slot-number ]
Display information about
display qos policy control-plane
pre-defined control plane QoS
pre-defined [ chassis
policies on a distributed IRF device

reset qos vlan-policy [ vlan
vlan-id ] [ inbound | outbound ]
Clear the statistics for a QoS policy
reset qos policy global
applied globally
[ inbound | outbound ]
a distributed device
Clear the statistics for the QoS

policy applied to a control plane on
a distributed IRF device
outbound ]
display qos policy
policy applied to a control plane on
outbound ]
pre-defined control plane QoS
Clear the statistics for the QoS
outbound ]
Display information about
Clear VLAN QoS policy statistics
reset qos policy

control-plane [ slot
outbound ]
reset qos policy control-plane
outbound ]
3-11
3-12
Priority Mapping Configuration

When configuring priority mapping, go to these sections for information you are interested in:
z
Priority Mapping Overview
Priority Mapping Configuration Tasks
Configuring Priority Mapping
Displaying and Maintaining Priority Mapping
Priority Mapping Configuration Examples
Priority Mapping Overview

Introduction to Priority Mapping
The priorities of a packet determine its transmission priority. There are two types of priority: priorities
carried in packets and priorities locally assigned for scheduling only.
The packet-carried priorities include 802.1p priority, DSCP precedence, IP precedence, EXP, and so
on. These priorities have global significance and affect the forwarding priority of packets across the
network.
The locally assigned priorities have only local significance. They are assigned by the device for
scheduling only. These priorities include the local precedence and drop precedence, as follows.
z
Local precedence is used for queuing. A local precedence value corresponds to an output queue.
A packet with higher local precedence is assigned to a higher priority output queue to be
preferentially scheduled.
Drop precedence is used for making packet drop decisions. Packets with the highest drop
precedence are dropped preferentially.
When a packet enters the device from a port, the device assigns a set of QoS priority parameters to
the packet based on a certain priority and sometimes may modify its priority, according to certain rules
depending on device status. This process is called priority mapping. The priority based on which
priority mapping is performed depends on the priority trust mode configured on the port . The set of
QoS priority parameters decides the scheduling priority and forwarding priority of the packet.

Priority mapping is implemented with priority mapping tables. The device provides various types of
priority mapping tables, or rather, priority mappings. By looking up a priority mapping table, the device
decides which priority value is to assign to a packet for subsequent packet processing.
z
dot1p-dp: 802.1p-to-drop priority mapping table.
dot1p-exp: 802.1p-to-EXP priority mapping table. (Available only on the EB and SD cards)
dot1p-lp: 802.1p-to-local priority mapping table.
dscp-dot1p: DSCP-to-802.1p priority mapping table, which is applicable to only IP packets.
dscp-dp: DSCP-to-drop priority mapping table, which is applicable to only IP packets.

4-1
dscp-dscp: DSCP-to-DSCP priority mapping table, which is applicable to only IP packets.
exp-dot1p: EXP-to-802.1p priority mapping table. (Available only on the EB and SD cards)
exp-dp: EXP-to-drop priority mapping table.
The default priority mapping tables (as shown in Appendix A Default Priority Mapping Tables) are
available for priority mapping. Generally, they are sufficient for priority mapping. If a default priority
mapping table cannot meet your requirements, you can modify the priority mapping table as required.
Priority Trust Mode on a Port

The priority trust mode on a port decides which priority is used for priority mapping table lookup. There
are two priority trust modes on the H3C S7500E series switches:
z
dot1p: Uses the 802.1p priority carried in packets for priority mapping.
dscp: Uses the DSCP carried in packets for priority mapping.
In addition, port priority was introduced for 802.1q untagged packets. Thus, when a port configured
with the 802.1p trust mode receives an 802.1q untagged packet, the priority of the port is used as the
802.1p priority of the packet for priority mapping table lookup.
The priority mapping procedure varies with the priority modes, as described in the next section Priority
Mapping Procedure.
Priority Mapping Procedure

Figure 4-1 presents how the S7500E performs priority mapping for an Ethernet packet. The procedure
differs depending on whether the packet is 802.1q tagged or not.
4-2
Figure 4-1 Priority mapping procedure for an Ethernet packet

Receive a
packet on a port
Use the port

priority as the
802.1p priority of
the packet
Which priority is
trusted on the
port?
DSCP in packets
802.1p in
packets
Look up the
dscp-dp, dscpdot1p, and dscpdscp tables
Is the packet
802.1q tagged?
Mark the packet

with 802.1p
priority, drop
precedence, and
new DSCP
precedence
Look up the
dot1p-dp and
dot1p-lp tables
Look up the
dot1p-dp and
dot1p-lp tables
Look up the
dot1p-lp table
Mark the packet

with local
precedence and
drop precedence
Mark the packet

with local
precedence and
drop precedence
Mark the packet

with local
precedence
Schedule the packet

according to its local
precedence and drop
precedence
For an MPLS packet, the priority mapping procedure as shown in Figure 4-2 is adopted:
4-3
Figure 4-2 Priority mapping procedure for an MPLS packet

Receive a
packet
Look up the
exp-dp table
Look up the
exp-dot1p table
Mark the packet

with drop
precedence
Mark the packet

with new 802.1p
priority
Look up the
dot1p-lp table
Mark the packet

with local
precedence
Schedule the packet
according to its local
precedence and drop
precedence
The priority mapping procedure presented above applies in the absence of priority marking. If priority
marking is configured, the device performs priority marking before priority mapping, and then uses the
re-marked packet-carried priority for priority mapping or directly uses the re-marked scheduling priority
for traffic scheduling depending on your configuration. In this case, neither priority trust mode
configuration on the port nor port priority configuration takes effect.
Priority Mapping Configuration Tasks

You are recommended to plan QoS throughout the network before making QoS configuration.
Complete the following task to configure priority mapping:
Task
Remarks
Configuring a Priority Mapping Table
Optional
Configuring the Priority Trust Mode on a Port
Optional
Configuring the Port Priority of a Port
Optional
4-4
Configuring Priority Mapping

Follow these steps to configure an uncolored priority mapping table:
To do
Use the command
Enter system view
system-view
Remarks
qos map-table { dot1p-dp |

Enter priority mapping table view
dot1p-exp | dot1p-lp |
dscp-dot1p | dscp-dp |
Required
dscp-dscp | exp-dot1p | exp-dp }

Required
Configure the priority mapping
import import-value-list export
table
export-value
Newly configured mappings

overwrite the old ones.
display qos map-table

Display the configuration of the
[ dot1p-dp | dot1p-exp | dot1p-lp
Optional
priority mapping table
| dscp-dot1p | dscp-dp |
dscp-dscp | exp-dot1p | exp-dp ]
The 802.1p-to-EXP priority mapping table (dot1p-exp) and the EXP-to-802.1p priority mapping table
(exp-dot1p) are available only for the EB and SD cards.

Follow these steps to configure the trusted packet priority type on an interface/port group:
To do
Enter system view
Enter
Enter
interface
interface
view
Use the command
system-view
Enter port
group view
Configure
the priority
trust mode

Trust the
DSCP
priority in
Use either command

interface-number
view or port
group view
Remarks
Use either command

qos trust dscp
By default, the device trusts the

802.1p priority in packets.
packets
4-5
To do
Use the command
Remarks
Trust the
802.1p
priority in
undo qos trust
packets
Display the priority trust
mode configuration on the
port
display qos trust interface
Optional

You can change the port priority of a port used for priority mapping. For the priority mapping procedure,
see the Priority Mapping Procedure section.
Follow these steps to configure the port priority of a port for priority mapping:
To do
Enter system view
Enter
Enter
interface
interface
view
Use the command
system-view
Use either command

Settings in interface view take effect on
interface-number
the current interface; settings in port
view or port
group view
Remarks
Enter port
port-group manual
group view take effect on all ports in the
group view
port-group-name
port group.
Required
Configure the port priority
qos priority priority-value

The default port priority is 0.
Display the trusted packet

priority type and the
priorities of an interface
Optional
Displaying and Maintaining Priority Mapping

To do
Use the command
Remarks
display qos map-table

Display priority mapping table
[ dot1p-dp | dot1p-exp | dot1p-lp
configuration
| dscp-dot1p | dscp-dp |
dscp-dscp | exp-dot1p | exp-dp ]

Display the trusted packet priority
type on a port
4-6
Priority Mapping Configuration Examples

Priority Mapping Table and Priority Marking Configuration Example
For information about priority marking, see Priority Marking Configuration.
Network requirements
As shown in Figure 4-3, the enterprise network of a company interconnects all departments through
Device. The network is described as follows:
z
The marketing department connects to GigabitEthernet 2/0/1 of Device, which sets the 802.1p
priority of traffic from the marketing department to 3.
The R&D department connects to GigabitEthernet 2/0/2 of Device, which sets the 802.1p priority
of traffic from the R&D department to 4.
The management department connects to GigabitEthernet 2/0/3 of Device, which sets the 802.1p
priority of traffic from the management department to 5.
Configure port priority, 802.1p-to-local priority mapping table, and priority marking to implement the
plan as described in Table 4-1.
Table 4-1 Configuration plan
Queuing plan
Traffic
destination
Traffic Priority order

Traffic source
R&D department
R&D department > management
Public servers
department > marketing
Internet
through HTTP
management department >
Medium
Low
R&D department
Low
High
Medium
4-7
priority
Management
department
department
queue
High
Management
marketing department > R&D
Queue
department
department
Output
Figure 4-3 Network diagram for priority mapping table and priority marking configuration
Internet
Host
Host
Server
Server
GE2/0/5
Management department
Data server
GE2/0/3
GE2/0/2
R&D department
GE2/0/4
Device
GE2/0/1
Host
Server
Mail server
Public servers
Configuration procedure
1)
Configure trusting port priority
# Set the port priority of GigabitEthernet 2/0/1 to 3.

<Device> system-view
[Device] interface gigabitethernet 2/0/1
[Device-GigabitEthernet2/0/1] qos priority 3
[Device-GigabitEthernet2/0/1] quit

[Device-GigabitEthernet2/0/2] qos priority 4

[Device-GigabitEthernet1/3] qos priority 5
[Device-GigabitEthernet1/3] quit
2)
Configure the priority mapping table
# Configure the 802.1p-to-local priority mapping table to map 802.1p priority values 3, 4, and 5 to local
precedence values 2, 6, and 4.
[Device] qos map-table dot1p-lp
[Device-maptbl-dot1p-lp] import 3 export 2
[Device-maptbl-dot1p-lp] quit
3)
Configure priority marking
4-8
# Mark the HTTP traffic of the management department, marketing department, and R&D department
to the Internet with 802.1p priorities 4, 5, and 3 respectively. Use the priority mapping table configured
above to map the 802.1p priorities to local precedence values 6, 4, and 2 respectively for differentiated
traffic treatment.
# Create ACL 3000 to match HTTP traffic.
[Device] acl number 3000
[Device-acl-adv-3000] rule permit tcp destination-port eq 80
[Device-acl-adv-3000] quit
# Create class http and reference ACL 3000 in the class.

[Device] traffic classifier http
[Device-classifier-http] if-match acl 3000
[Device-classifier-http] quit
# Configure a priority marking policy for the management department and apply the policy to the
incoming traffic of GigabitEthernet 2/0/3.
[Device] traffic behavior admin
[Device-behavior-admin] remark dot1p 4
[Device-behavior-admin] quit
[Device] qos policy admin
[Device-qospolicy-admin] classifier http behavior admin
[Device-qospolicy-admin] quit
[Device-GigabitEthernet2/0/3] qos apply policy admin inbound
# Configure a priority marking policy for the marketing department and apply the policy to the incoming
traffic of GigabitEthernet 2/0/1.
[Device] traffic behavior market
[Device-behavior-market] remark dot1p 5
[Device-behavior-market] quit
[Device] qos policy market
[Device-qospolicy-market] classifier http behavior market
[Device-qospolicy-market] quit
[Device-GigabitEthernet2/0/1] qos apply policy market inbound
# Configure a priority marking policy for the R&D department and apply the policy to the incoming
traffic of GigabitEthernet 2/0/2.
[Device] traffic behavior rd
[Device-behavior-rd] remark dot1p 3
[Device-behavior-rd] quit
[Device] qos policy rd
[Device-qospolicy-rd] classifier http behavior rd
[Device-qospolicy-rd] quit
[Device-GigabitEthernet2/0/2] qos apply policy rd inbound
4-9
Traffic Policing, Traffic Shaping, and Line Rate

Configuration
When configuring traffic classification, traffic policing, and traffic shaping, go to these sections for
information you are interested in:
z
Traffic Policing, Traffic Shaping, and Line Rate Overview
Configuring Traffic Policing
Configuring GTS
Configuring the Line Rate
Displaying and Maintaining Traffic Policing, GTS, and Line Rate
Traffic Policing, Traffic Shaping, and Line Rate Overview

Without limits on user traffic, a network can be overwhelmed very easily. To help assign network
resources such as bandwidth efficiently to improve network performance and hence user satisfaction,
QoS technologies such as traffic policing, traffic shaping, and rate limit were introduced. For example,
you can configure a flow to use only the resources committed to it in a certain time range, thus
avoiding network congestion caused by burst traffic.
Traffic policing and generic traffic shaping (GTS) limit traffic rate and resource usage according to
traffic specifications. Once a particular traffic exceeds its specifications such as bandwidth assigned to
it, it is shaped or policed to ensure that it is under the specifications. Generally, token buckets are used
to evaluate traffic specifications.
Traffic Evaluation and Token Buckets

Token bucket features
A token bucket is analogous to a container holding a certain number of tokens. The system puts tokens
into the bucket at a set rate. When the token bucket is full, the extra tokens overflows.
Evaluating traffic with the token bucket

The evaluation of traffic specifications is based on whether the number of tokens in the bucket can
meet the need of packet forwarding. Generally, one token is associated with a 1-bit forwarding
authority. If the number of tokens in the bucket is enough for forwarding the packets, the traffic
conforms to the specification and is called conforming traffic; otherwise, the traffic does not conform to
the specification and is called excess traffic.
A token bucket has the following configurable parameters:
z
Mean rate at which tokens are put into the bucket, namely, the permitted average rate of traffic. It
is usually set to the committed information rate (CIR).
Burst size or the capacity of the token bucket. It is the maximum traffic size that is permitted in
each burst. It is usually set to the committed burst size (CBS). The set burst size must be greater
than the maximum packet size.
5-1
Evaluation is performed for each arriving packet. In each evaluation, if the number of tokens in the
bucket is enough, the traffic conforms to the specification and the corresponding tokens for forwarding
the packet are taken away; if the number of tokens in the bucket is not enough, it means that too many
tokens have been used and the traffic is excessive.
Complicated evaluation
You can set two token buckets, the C bucket and the E bucket, to evaluate traffic in a more
complicated environment and achieve more policing flexibility. For example, traffic policing uses four
parameters:
z
CIR: Rate at which tokens are put into the C bucket, that is, the average packet transmission or
forwarding rate allowed by the C bucket.
CBS: Size of the C bucket, that is, transient burst of traffic that the C bucket can forward.
Peak information rate (PIR): Rate at which tokens are put into the E bucket, that is, the average
packet transmission or forwarding rate allowed by the E bucket.
Excess burst size (EBS): Size of the E bucket, that is, transient burst of traffic that the E bucket
can forward.
CBS is implemented with the C bucket and EBS with the E bucket. In each evaluation, packets are
measured against the buckets:
z
If the C bucket has enough tokens, packets are colored green.
If the C bucket does not have enough tokens but the E bucket has enough tokens, packets are
colored yellow.
If neither the C bucket nor the E bucket has sufficient tokens, packets are colored red.
Traffic Policing
Traffic policing supports policing traffic in the inbound direction and the outbound direction. Thereafter,
the outbound direction is taken for example.
A typical application of traffic policing is to supervise the specification of certain traffic entering a
network and limit it within a reasonable range, or to "discipline" the extra traffic. In this way, the network
resources and the interests of the user are protected. For example, you can limit bandwidth for HTTP
packets to less than 50% of the total. If the traffic of a certain session exceeds the limit, traffic policing
can drop the packets or reset the IP precedence of the packets.
5-2
Figure 5-1 Schematic diagram for traffic policing
Packets to be sent
through this interface
Tokens are put into the

bucket at the set rate
Packets sent
Packet
classification
Token
bucket
Queue
Packets dropped
Traffic policing is widely used in policing traffic entering the networks of internet service providers
(ISPs). It can classify the policed traffic and take pre-defined policing actions on each packet
depending on the evaluation result:
z
Forwarding the traffic if the evaluation result is conforming.
Dropping the traffic if the evaluation result is excess.
Modifying the DSCP priority of the conforming traffic and forwarding it.
Traffic Shaping
Traffic shaping supports shaping traffic to the outgoing traffic.
Traffic shaping provides measures to adjust the rate of outbound traffic actively. A typical traffic
shaping application is to limit the local traffic output rate according to the downstream traffic policing
parameters.
The difference between traffic policing and GTS is that packets to be dropped with traffic policing are
retained in a buffer or queue with GTS, as shown in Figure 5-2. When there are enough tokens in the
token bucket, the buffered packets are sent at an even rate. Traffic shaping may result in additional
delay while traffic policing does not.
5-3
Figure 5-2 Schematic diagram for GTS
Packets to be sent
through this interface
Tokens are put into the

bucket at the set rate
Packets sent
Packet
classification
Token
bucket
Queue
Packets dropped
For example, in Figure 5-3, Switch A sends packets to Switch B. Switch B performs traffic policing on
packets from Switch A and drops packets exceeding the limit.
Figure 5-3 GTS application
You can perform traffic shaping for the packets on the outgoing interface of Switch A to avoid
unnecessary packet loss. Packets exceeding the limit are cached in Switch A. Once resources are
released, traffic shaping takes out the cached packets and sends them out. In this way, all the traffic
sent to Switch B conforms to the traffic specification defined in Switch B.
Line Rate
Line rate supports rate-limiting traffic in the outbound direction.
The line rate of a physical interface specifies the maximum rate for forwarding packets (including
critical packets).
Line rate also uses token buckets for traffic control. With line rate configured on an interface, all
packets to be sent through the interface are firstly handled by the token bucket at line rate. If there are
enough tokens in the token bucket, packets can be forwarded; otherwise, packets are put into QoS
queues for congestion management. In this way, the traffic passing the physical interface is controlled.
5-4
Figure 5-4 Line rate implementation
In the token bucket approach to traffic control, bursty traffic can be transmitted so long as enough
tokens are available in the token bucket; if tokens are inadequate, packets cannot be transmitted until
the required number of tokens are generated in the token bucket. Thus, traffic rate is restricted to the
rate for generating tokens, thus limiting traffic rate and allowing bursty traffic.
Line rate can only limit the total traffic rate on a physical port, while traffic policing can limit the rate of a
flow on a port. To limit the rate of all the packets on a port, using line rate is easier.

Follow these steps to configure traffic policing:
To do
Use the command
Remarks
Enter system view
system-view
traffic classifier tcl-name [ operator { and
view
| or } ]
Configure the match criteria
Exit class view
quit
Create a behavior and enter

behavior view
5-5
To do
Use the command
Remarks
Required
car cir committed-information-rate [ cbs

Configure a traffic policing
action
committed-burst-size [ ebs
On SC, SA, and EA LPUs,
excess-burst-size ] ] [ pir
the granularity of traffic
peak-information-rate ] [ green action ]
policing is 64 kbps.
[ yellow action ] [ red action ]
On SD and EB LPUs, the

granularity of traffic policing
is 8 kbps.
Exit behavior view

Create a policy and enter
policy view
Associate the class with the
traffic behavior in the QoS
policy
Exit policy view
Apply the
QoS
policy
quit

behavior-name
quit
To an interface
To online users
To a VLAN
Globally
To the control
Applying the QoS policy to the control
plane
plane
Only SC, SD and EB cards support policing traffic in the outbound direction.
Configuration Example
Configure traffic policing on GigabitEthernet 2/0/1 to limit the rate of received HTTP traffic to 512 kbps
and drop the exceeding traffic.
# Enter system view.
<Sysname> system-view
# Configure advanced ACL 3000 to match HTTP traffic.

[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule permit tcp destination-port eq 80
5-6
[Sysname-acl-adv-3000] quit
# Create a class named http, and reference ACL 3000 in the class to match HTTP traffic.
[Sysname] traffic classifier http
[Sysname-classifier-http] if-match acl 3000
[Sysname-classifier-http] quit
# Configure a traffic policing QoS policy, and apply the QoS policy to the incoming packets of
GigabitEthernet 2/0/1.
[Sysname] traffic behavior http
[Sysname-behavior-http] car cir 512
[Sysname-behavior-http] quit
[Sysname] qos policy http
[Sysname-qospolicy-http] classifier http behavior http
[Sysname-qospolicy-http] quit
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] qos apply policy http inbound
Configuring GTS
On the H3C S7500E series switches, traffic shaping is implemented as queue-based GTS, that is,
configuring GTS parameters for packets of a certain queue.
Follow these steps to configure queue-based GTS:
To do
Enter system view
Use the command
Remarks
system-view
Enter
Enter
interface
interface
view
interface interface-type interface-number
Use either command

view or
port group
Enter port
view
group

view
Required
Configure GTS for a

queue
qos gts queue queue-number cir

committed-information-rate [ cbs
committed-burst-size ]
On SC, SA, and EA LPUs, the

granularity of GTS is 64 kbps.

granularity of GTS is 8 kbps.
Display GTS
configuration
display qos gts interface [ interface-type
Optional
information on the
interface-number ]
interface/all interfaces
5-7
Configure GTS on GigabitEthernet2/0/1, shaping the packets of queue 1 when the sending rate
exceeds 512 kbps.
# Enter interface view.

# Configure GTS parameters.

[Sysname-GigabitEthernet2/0/1] qos gts queue 1 cir 512

Follow these steps to configure the line rate:
To do
Enter system view
Use the command
system-view
Enter
Enter
interface
interface
view
Use either command

Enter port
group view
Settings in interface view take effect

on the current interface; settings in
view or port
group view
Remarks
port group view take effect on all

ports in the port group.

Required
Configure the inbound or
qos lr outbound cir
outbound line rate for the
interface/port group
committed-burst-size ]

granularity of line rate is 64 kbps.

granularity of line rate is 8 kbps.
Display line rate

display qos lr interface [ interface-type
on the interface/all
interface-number ]
interfaces
Limit the outbound line rate of GigabitEthernet 2/0/1 to 512 kbps.

5-8
# Limit the outbound line rate of GigabitEthernet 2/0/1 to 512 kbps.

[Sysname-GigabitEthernet2/0/1] qos lr outbound cir 512
Displaying and Maintaining Traffic Policing, GTS, and Line Rate
On the S7500E series switches, you can configure traffic policing in policy-based approach. For
related displaying and maintaining commands, see Displaying and Maintaining QoS Policies.
To do
Use the command
Display interface GTS
display qos gts interface
Display interface line rate
display qos lr interface
5-9
Remarks
Congestion Management Configuration

When configuring hardware congestion management, go to these sections for information you are
interested in:
z
Congestion Management Overview
Congestion Management Configuration Approaches
Per-Queue Hardware Congestion Management
Displaying and Maintaining Congestion Management
Congestion Management Overview

Causes, Impacts, and Countermeasures of Congestion
Network congestion is a major factor contributed to service quality degrading on a traditional network.
Congestion is a situation where the forwarding rate decreases due to insufficient resources, resulting
in extra delay.
Congestion easily occurs in complex packet switching circumstances in the Internet. The following
figure shows two common cases:
Figure 6-1 Traffic congestion causes
100M
100M
10M
100M
10M
100M>10M
50M
100M+10M+50M>100M
1
Congestion may bring these negative results:

z
Increased delay and jitter during packet transmission
Decreased network throughput and resource use efficiency
Network resource (memory in particular) exhaustion and even system breakdown
Congestion is unavoidable in switched networks and multi-user application environments. To improve

the service performance of your network, you must take some proper measures to address the
congestion issues.
The key to congestion management is how to define a dispatching policy for resources to decide the
order of forwarding packets when congestion occurs.
6-1
Congestion Management Policies

In general, congestion management uses queuing technology. The system uses a certain queuing
algorithm for traffic classification, and then uses a certain precedence algorithm to send the traffic.
Each queuing algorithm addresses a particular network traffic problem and which algorithm is used
affects bandwidth resource assignment, delay, and jitter significantly.
Queue scheduling processes packets by their priorities, preferentially forwarding high-priority packets.
In the following section, Strict Priority (SP) queuing, Weighted Fair Queuing (WFQ), and Weighted
Round Robin (WRR) queuing are introduced.
SP queuing
SP queuing is specially designed for mission-critical applications, which require preferential service to
reduce the response delay when congestion occurs.
Figure 6-2 Schematic diagram for SP queuing
As shown in Figure 6-2, SP queuing classifies eight queues on a port into eight classes, numbered 7 to
0 in descending priority order.
SP queuing schedules the eight queues strictly according to the descending order of priority. It sends
packets in the queue with the highest priority first. When the queue with the highest priority is empty, it
sends packets in the queue with the second highest priority, and so on. Thus, you can assign
mission-critical packets to the high priority queue to ensure that they are always served first and
common service packets to the low priority queues and transmitted when the high priority queues are
empty.
The disadvantage of SP queuing is that packets in the lower priority queues cannot be transmitted if
there are packets in the higher priority queues. This may cause lower priority traffic to starve to death.
WRR queuing
WRR queuing schedules all the queues in turn to ensure that every queue can be served for a certain
time, as shown in Figure 6-3.
6-2
Figure 6-3 Schematic diagram for WRR queuing

Queue 0 Weight 1
Packets to be sent through

this port
Queue 1 Weight 2
Sent packets
Interface
Queue N-2 Weight N-1

Queue
scheduling
Packet
classification
Sending queue
Queue N-1 Weight N
Assume there are eight output queues on a port. WRR assigns each queue a weight value
(represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to
the queue. On a 100 Mbps port, you can configure the weight values of WRR queuing to 5, 3, 1, 1, 5, 3,
1, and 1 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively). In this way, the queue
with the lowest priority is assured of 5 Mbps of bandwidth at least, thus avoiding the disadvantage of
SP queuing that packets in low-priority queues may fail to be served for a long time.
Another advantage of WRR queuing is that while the queues are scheduled in turn, the service time for
each queue is not fixed, that is, if a queue is empty, the next queue will be scheduled immediately. This
improves bandwidth resource use efficiency.
WFQ queuing
Figure 6-4 Schematic diagram for WFQ queuing
Queue 1 Band width 1
Packets to be sent through

this port
Queue 2 Band width 2
Sent packets
Interface
Queue N-1 Band width N-1

Queue
scheduling
Packet
classification
Sending queue
Queue N Band width N
WFQ is derived from fair queuing (FQ), which is designed for fairly sharing network resources,
reducing the delay and jitter of all traffic. FQ fully consider the interests of all queues to ensure that:
z
Different queues have fair dispatching opportunities, preventing a single queue from being
delayed for too long.
6-3
Short packets and long packets are fairly scheduled: if there are both long packets and short
packets in queues, statistically the short packets should be scheduled preferentially to reduce the
jitter between packets as a whole.
Compared with FQ, WFQ takes weights into account when determining the queue scheduling order.
Statistically, WFQ gives high priority traffic more scheduling opportunities than low priority traffic. WFQ
can automatically classify traffic according to the session information of traffic (protocol type, TCP or
UDP source/destination port numbers, source/destination IP addresses, IP precedence bits in the ToS
field, and so on), and try to provide as many queues as possible so that each traffic flow can be put into
these queues to balance the delay of every traffic flow as a whole. When dequeuing packets, WFQ
assigns the outgoing interface bandwidth to each traffic flow by precedence. The higher precedence
value a traffic flow has, the more bandwidth it gets.
Additionally, WFQ can work with the minimum guaranteed bandwidth mechanism. You can configure a
minimum guaranteed bandwidth for each WFQ queue to guarantee that each WFQ queue is
guaranteed of the bandwidth when congestion occurs. The assignable bandwidth (assignable
bandwidth = total bandwidth the sum of the minimum guaranteed bandwidth for each queue) is
allocated to queues based on queue priority.
For example, assume that the total bandwidth of a port is 10 Mbps, and there are five flows on the port
currently, with the precedence being 0, 1, 2, 3, and 4 and the minimum guaranteed bandwidth being
128 kbps, 128 kbps, 128 kbps, 64 kbps, and 64 kbps respectively.
z
The assignable bandwidth = 10 Mbps (128 kbps + 128 kbps + 128 kbps + 64 kbps + and 64
kbps) = 9.5 Mbps
The total assignable bandwidth quota is the sum of all the (precedence value + 1)s, that is, 1 + 2 +
3 + 4 + 5 = 15.
The bandwidth percentage assigned to each flow is (precedence value of the flow + 1)/total
assignable bandwidth quota. The bandwidth percentages for the flows are 1/15, 2/15, 3/15, 4/15,
and 5/15 respectively.
The bandwidth finally assigned to a queue = the minimum guaranteed bandwidth + the bandwidth
allocated to the queue from the assignable bandwidth
Because WFQ can balance delay and jitter among flows when congestion occurs, it is effectively
applied in some special occasions. For example, WFQ is used for the assured forwarding (AF)
services of the Resource Reservation Protocol (RSVP). In Generic Traffic Shaping (GTS), WFQ is
used to schedule buffered packets.
SP+WRR queuing
By assigning some queues on the port to the SP scheduling group and the others to the WRR
scheduling group (that is, group 1), you implement SP + WRR queue scheduling on the port. Packets
in the SP scheduling group are scheduled preferentially. When the SP scheduling group is empty,
packets in the WRR scheduling group are scheduled. Queues in the SP scheduling group are
scheduled with the SP queue scheduling algorithm. Queues in the WRR scheduling group are
scheduled with WRR.
Congestion Management Configuration Approaches

Complete the following tasks to achieve congestion management:
6-4
Task
Remarks
Configuring SP Queuing
Optional
Configure WRR Queuing
Optional
Configuring WFQ Queuing
Optional
Configuring SP+WRR Queues
Optional
Per-Queue Hardware Congestion Management

Follow these steps to configure SP queuing:
To do
Enter system view
Enter
Enter
interface
interface
view
Use the command
system-view
Use either command

interface-number
the current interface; settings in port
view or port
group view
Remarks
Enter port
port-group manual
group view take effect on all ports in the
group view
port-group-name
port group.
Optional
Configure SP queuing
qos sp
The default queuing algorithm on an

interface is SP queuing.
Display SP queuing
display qos sp interface
Optional
configuration
Configuration example
1)
Configure GigabitEthernet 2/0/1 to use SP queuing.

2)
# Enter system view

# Configure GigabitEthernet2/0/1 to use SP queuing.

[Sysname]interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] qos sp
6-5

Follow these steps to configure group-based WRR queuing:
To do
Enter system view
Enter
Enter
interface
interface
view
Use the command
system-view
Enter port
group view
Use either command

interface-number
view or port
group view
Remarks


Optional
Enable WRR queuing
qos wrr
The default queuing algorithm on

an interface is SP queuing.
Configure a WRR queue
qos wrr queue-id group 1 weight

schedule-value
Required
Display WRR queuing
display qos wrr interface
Optional
1)
Enable WRR queuing on the interface GigabitEthernet 2/0/1.
Assign queues 0 through 7 to the WRR group, with their weights being 1, 3, 3, 5, 8, 8, 10, and 15.
2)

# Configure WRR queuing on GigabitEthernet 2/0/1.

[Sysname-GigabitEthernet2/0/1] qos wrr
[Sysname-GigabitEthernet2/0/1] qos wrr 0 group 1 weight 1

Follow these steps to configure an WFQ queue:
6-6
To do
Enter system view
Enter
Enter
interface
interface
view
Use the command
system-view
Enter port
group view
Use either command

interface-number
view or port
group view
Remarks


Required
Enable WFQ queuing
qos wfq
The default queuing algorithm on

an interface is SP queuing.
Configure the minimum
qos bandwidth queue queue-id min
Required
bandwidth-value
64 kbps by default
qos wfq queue-id weight
Required
schedule-value
1 by default
Display WFQ queuing
display qos wfq interface
Optional
configuration
guaranteed bandwidth for

an WFQ queue
Specify the queue
scheduling weight for an
WFQ queue
The support of different cards for the minimum guaranteed bandwidth and scheduling weight
configuration for WFQ queues varies as follows:
z
The SC, SD, and EB cards support both minimum guaranteed bandwidth and scheduling weight
configurations.
The EA cards support both configurations too, but the scheduling weight for each queue can only
be 1.
The SA cards support only the scheduling weight configuration.
1)
Configure the queues on port GigabitEthernet2/0/1 as WFQ queues and sets the scheduling
weights of queues 1, 3, 4, 5, and 6 to 1, 5, 10, 15, and 10 respectively.
Set the minimum guaranteed bandwidth of queue 1 to 128 kbps.
2)

# Configure WFQ queues on GigabitEthernet 2/0/1.

6-7

[Sysname-GigabitEthernet2/0/1] qos wfq
[Sysname-GigabitEthernet2/0/1] qos wfq 1 weight 1
# Set the minimum guaranteed bandwidth of queue 1 to 128 kbps.

[Sysname-GigabitEthernet2/0/1] qos bandwidth queue 1 min 128

Follow these steps to configure SP + WRR queues:
To do
Enter system view
Enter
Use the command

system-view
Enter interface
Use either command
view
interface-number
Enter port
port-group manual
group view
port-group-name
interface
view or port
group view
Remarks
the current interface; settings in port group

view take effect on all ports in the port
group.
Required
Enable the WRR queue

scheduling on the port
qos wrr
The default queuing algorithm on an

interface is SP queuing.
Configure SP queue
scheduling
Configure WRR queue

scheduling
qos wrr queue-id group sp
Required
qos wrr queue-id group

group-id byte-count
Required
schedule-value
z
Configure to adopt SP+WRR queue scheduling algorithm on GigabitEthernet2/0/1.
Configure queue 0, queue 1, queue 2 and queue 3 on GigabitEthernet2/0/1 to be in SP queue

scheduling group.
Configure queue 4, queue 5, queue 6 and queue 7 on GigabitEthernet2/0/1 to be in WRR queue

scheduling group, with the weight being 2, 4, 6 and 8 respectively.
# Enable the SP+WRR queue scheduling algorithm on GigabitEthernet2/0/1.

6-8
[Sysname] interface GigabitEthernet 2/0/1

[Sysname-GigabitEthernet2/0/1] qos wrr
[Sysname-GigabitEthernet2/0/1] qos wrr 0 group sp
Displaying and Maintaining Congestion Management

To do
Use the command
Display WRR queue configuration
display qos wrr interface [ interface-type
information
interface-number ]
Display SP queue configuration
display qos sp interface [ interface-type
information
interface-number ]
Display WFQ queue configuration
display qos wfq interface [ interface-type
information
interface-number ]
6-9
Remarks
Congestion Avoidance
When configuring congestion avoidance, go to these sections for information you are interested in:
z
Congestion Avoidance Overview
Introduction to WRED Configuration
Configuring WRED on an Interface
Displaying and Maintaining WRED
Congestion Avoidance Overview

Avoiding congestion before it occurs to deteriorate network performance is a proactive approach to
improving network performance. As a flow control mechanism, congestion avoidance actively drops
packets when congestion is expected to occur or deteriorate by monitoring the utilization of network
resources (such as queues or memory buffers) to alleviate the load on the network.
Compared with end-to-end flow control, this flow control mechanism controls the load of more flows in
a device. When dropping packets from a source end, it cooperates with the flow control mechanism
(such as TCP flow control) at the source end to regulate the network traffic size. The combination of
the local packet drop policy and the source-end flow control mechanism helps maximize throughput
and network use efficiency and minimize packet loss and delay.
Traditional packet drop policy

Tail drop is the traditional approach to congestion avoidance. In this approach, when the size of a
queue reaches the maximum threshold, all the subsequent packets are dropped.
This results in global TCP synchronization. That is, if packets from multiple TCP connections are
dropped, these TCP connections go into the state of congestion avoidance and slow start to reduce
traffic, but traffic peak occurs later. Consequently, the network traffic jitters all the time.
RED and WRED

You can use random early detection (RED) or weighted random early detection (WRED) to avoid
global TCP synchronization.
Both RED and WRED avoid global TCP synchronization by randomly dropping packets. Thus, while
the sending rates of some TCP sessions slow down after their packets are dropped, other TCP
sessions remain at high sending rates. As there are always TCP sessions at high sending rates, link
bandwidth is efficiently utilized.
The RED or WRED algorithm sets an upper threshold and lower threshold for each queue, and
processes the packets in a queue as follows:
z
When the queue size is shorter than the lower threshold, no packet is dropped;
When the queue size reaches the upper threshold, all subsequent packets are dropped;
When the queue size is between the lower threshold and the upper threshold, the received
packets are dropped at random. The longer a queue is, the higher the drop probability is. However,
a maximum drop probability exists.
7-1
Different from RED, WRED determines differentiated drop policies for packets with different IP
precedence values. Packets with a lower IP precedence are more likely to be dropped.
Introduction to WRED Configuration

WRED Configuration Approaches
On an S7500E series switch, WRED is implemented with WRED tables. WRED tables are created
globally in system view and then applied to interfaces.
Introduction to WRED Parameters

Determine the following parameters before configuring WRED:
z
The upper threshold and lower threshold: when the average queue size is smaller than the lower
threshold, no packet is dropped. When the average queue size is between the lower threshold
and the upper threshold, packets are dropped randomly. The longer a queue, the higher the drop
probability. When the average queue size exceeds the upper threshold, subsequent packets are
dropped.
Drop precedence: a parameter used for packet drop. The value 0 corresponds to green packets,
the value 1 corresponds to yellow packets, and the value 2 corresponds to red packets. Red
packets are dropped preferentially.
Denominator for drop probability calculation: the bigger the denominator is, the smaller the
calculated drop probability is.
The S7500E series switches do not support the upper drop threshold.
Configuring WRED on an Interface
The SA cards do not support WRED.
In a WRED table, drop parameters are configured on a per queue basis, because WRED regulates
packets on a per queue basis.
A WRED table can be applied to multiple interfaces. For a WRED table already applied to an interface,
you can modify the values of the WRED table, but you cannot remove the WRED table.
Follow these steps to configure WRED:
7-2
To do
Use the command
Remarks
Enter system view
system-view
Create a WRED table
qos wred queue table table-name
Configure the drop
queue queue-id [ drop-level drop-level ]
parameters for each
low-limit low-limit [ discard-probability
queue in the WRED table
discard-prob ]
Optional
By default, the low-limit argument
is 100 and the discard-prob
argument is 10.
Enter
Enter
interface
interface
view
Use either command

view or port
group view
Enter port
group view
Apply the WRED table

qos wred apply table-name

Required
Apply a queue-based WRED table to port GigabitEthernet 2/0/1.
# Configure a queue-based WRED table.

[Sysname] qos wred queue table queue-table1
[Sysname-wred-table-queue-table1] quit

# Apply the queue-based WRED table to GigabitEthernet 2/0/1.

[Sysname-GigabitEthernet2/0/1] qos wred apply queue-table1
Displaying and Maintaining WRED

To do
Display WRED configuration
information on the interface or all
interfaces
Display configuration information
about a WRED table or all WRED
tables
Use the command
display qos wred interface

display qos wred table

[ table-name ]
7-3
Remarks
Traffic Filtering Configuration

When configuring traffic filtering, go to these sections for information you are interested in:
z
Traffic Filtering Overview
Configuring Traffic Filtering
Traffic Filtering Configuration Example
Traffic Filtering Overview

You can filter in or filter out a class of traffic by associating the class with a traffic filtering action. For
example, you can filter packets sourced from a specific IP address according to network status. By
using ACL rules configured with a time range for traffic classification, you can implement time-based
traffic filtering.
Configuring Traffic Filtering

Follow these steps to configure traffic filtering:
To do
Use the command
Remarks
Enter system view
system-view
traffic classifier tcl-name [ operator
view
{ and | or } ]
Exit class view
quit

behavior view
Required
Configure the traffic filtering
action
filter { deny | permit }
deny: Drops packets.
permit: Permits packets to

pass through.
Exit behavior view

view
policy
quit

behavior-name
8-1
To do
Exit policy view
Apply the
QoS
policy
Use the command
Remarks
quit
To an interface
To online users
To a VLAN
Globally
To the control
plane
plane
Display the traffic filtering
display traffic behavior user-defined
Optional
configuration
[ behavior-name ]
With filter deny configured for a traffic behavior, the other actions (except class-based accounting) in
the traffic behavior do not take effect.
Support of Line Cards for the Traffic Filtering Function

Table 8-1 shows the support of line cards for the traffic filtering action for the inbound and outbound
traffic.
For line card categories and their description, see the installation manual for the S7500E series
switches.
Table 8-1 Support of line cards for the traffic filtering action
Traffic direction (right)
Inbound
Outbound
Card category (below)

SC
Supported
Supported
SA
Supported
Not supported
EA
Supported
Not supported
EB
Supported
Supported
8-2
Traffic direction (right)

Inbound
Outbound

SD
Supported
Supported

As shown in Figure 8-1, Host is connected to GigabitEthernet 2/0/1 of Device.
Configure traffic filtering to filter the packets whose source port is 21 received on GigabitEthernet 2/0/1.
Figure 8-1 Network diagram for traffic filtering configuration
# Create advanced ACL 3000, and configure a rule to match packets whose source port number is 21.
<DeviceA> system-view
[DeviceA] acl number 3000
[DeviceA-acl-basic-3000] rule 0 permit tcp source-port eq 21
[DeviceA-acl-basic-3000] quit
# Create a class named classifier_1, and reference ACL 3000 in the class.
[DeviceA] traffic classifier classifier_1
[DeviceA-classifier-classifier_1] if-match acl 3000
[DeviceA-classifier-classifier_1] quit
# Create a behavior named behavior_1, and configure the traffic filtering action for the behavior to
drop packets.
[DeviceA] traffic behavior behavior_1
[DeviceA-behavior-behavior_1] filter deny
[DeviceA-behavior-behavior_1] quit
# Create a policy named policy, and associate class classifier_1 with behavior behavior_1 in the
policy.
[DeviceA] qos policy policy
[DeviceA-qospolicy-policy] classifier classifier_1 behavior behavior_1
[DeviceA-qospolicy-policy] quit
# Apply the policy named policy to the incoming traffic of GigabitEthernet 2/0/1.
[DeviceA] interface gigabitethernet 2/0/1
[DeviceA-GigabitEthernet2/0/1] qos apply policy policy inbound
8-3
Priority Marking Configuration

When configuring priority marking, go to these sections for information you are interested in:
z
Priority Marking Overview
Configuring Priority Marking
Priority Marking Configuration Example
Priority Marking Overview
Priority marking can be used together with priority mapping. For details, see Priority Mapping Table
and Priority Marking Configuration Example.
Priority marking sets the priority fields or flag bits of packets to modify the priority of traffic. For example,
you can use priority marking to set IP precedence or DSCP for a class of IP traffic to change its
transmission priority in the network.
To configure priority marking, you can associate a class with a behavior configured with the priority
marking action to set the priority fields or flag bits of the class of packets.
Configuring Priority Marking

Follow these steps to configure priority marking:
To do
Use the command
Remarks
Enter system view
system-view
traffic classifier tcl-name [ operator { and
view
| or } ]
Exit class view
quit
remark dscp dscp-value
Optional

behavior view
Set the DSCP value for
packets
9-1
To do
Use the command
Remarks
Set the 802.1p priority for

packets or configure the
remark dot1p { 8021p |
inner-to-outer tag priority
customer-dot1p-trust }
Optional
copying function
Optional
Set the drop precedence for
remark drop-precedence
packets
drop-precedence-value
Applicable to only the

outbound direction
Set the IP precedence for
remark ip-precedence
packets
ip-precedence-value
Set the local precedence for
remark local-precedence
packets
local-precedence
Optional
Optional
Optional
The QoS-local-ID is used for
identifying services and has
Set the QoS-local-ID for
packets
only local significance. By

remark qos-local-id local-id-value
marking different classes of

traffic with the same QoS local
ID, you can re-classify them to
apply a uniform set of QoS
actions on them.
Exit behavior view

Create a policy and enter
policy view
policy
Exit policy view
Apply the
QoS
policy
quit

behavior-name
quit
To an interface
To online users
To a VLAN
Globally
To the control
plane
plane
Display the priority marking
display traffic behavior user-defined
Optional
configuration
[ behavior-name ]
9-2
Support of Line Cards for Priority Marking

Table 9-1 and Table 9-2 show the support of line cards for the priority marking actions for the inbound
and outbound traffic.
switches.
Table 9-1 Support of SC/SA/EA cards for priority marking

Card
SC
category
SA
EA
(right)
Action
(below)
Inbound
Outbound
Inbound
Outbound
Inbound
Outbound
Remarking the
802.1p
precedence
Supported
Supported
Supported
Not supported
Supported
Not supported
Supported
Not supported
Supported
Not supported
for packets
Remarking the
drop
precedence
Supported
Not
supported
for packets
Remarking the
DSCP
precedence
Supported
Supported
Supported
Not supported
Supported
Not supported
Supported
Supported
Supported
Not supported
Supported
Not supported
Supported
Not supported
Supported
Not supported
for packets
Remarking the
IP precedence
for packets
Remarking the
local
precedence
Supported
Not
supported
for packets
9-3
Card
SC
category
SA
EA
(right)
Action
Inbound
(below)
Outbound
Inbound
Outbound
Inbound
Outbound
Remarking the
specified QoS
Not
Not
Not
local ID for
supported
supported
supported
Not supported
Not
supported
Not supported
packets.
Table 9-2 Support of EB/SD cards for priority marking

Card
category
EB
(right)
Action (below)
Inbound
SD
Outbound
Inbound
Outbound
Remarking the
802.1p precedence
Supported
Supported
Supported
Supported
Supported
Not supported
Supported
Not supported
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Supported
Not supported
Supported
Not supported
Supported
Not supported
Supported
Not supported
for packets
Remarking the drop
precedence for
packets
Remarking the
DSCP precedence
for packets
Remarking the IP
precedence for
packets
Remarking the
local precedence
for packets
Remarking the
specified QoS local
ID for packets.
9-4

As shown in Figure 9-1, the enterprise network of a company interconnects hosts with servers through
Device. The network is described as follows:
z
Host A and Host B are connected to GigabitEthernet 2/0/1 of Device.
The data server, mail server, and file server are connected to GigabitEthernet 2/0/2 of Device.
Configure priority marking on Device to satisfy the following requirements:

Traffic source
Destination
Processing priority
Host A, B
Data server
High
Host A, B
Mail server
Medium
Host A, B
File server
Low
Figure 9-1 Network diagram for priority marking configuration

Internet
Data server
Host A
192.168.0.1/24
GE2/0/1
GE2/0/2
Mail server
192.168.0.2/24
Host B
Device
File server
192.168.0.3/24
# Create advanced ACL 3000, and configure a rule to match packets with destination IP address
192.168.0.1.
<Device> system-view
[Device-acl-adv-3000] rule permit ip destination 192.168.0.1 0
192.168.0.2.
192.168.0.3.
9-5

# Create a class named classifier_dbserver, and reference ACL 3000 in the class.
[Device] traffic classifier classifier_dbserver
[Device-classifier-classifier_dbserver] if-match acl 3000
[Device-classifier-classifier_dbserver] quit
# Create a class named classifier_mserver, and reference ACL 3001 in the class.
[Device] traffic classifier classifier_mserver
[Device-classifier-classifier_mserver] if-match acl 3001
[Device-classifier-classifier_mserver] quit
# Create a class named classifier_fserver, and reference ACL 3002 in the class.
[Device] traffic classifier classifier_fserver
[Device-classifier-classifier_fserver] if-match acl 3002
[Device-classifier-classifier_fserver] quit
# Create a behavior named behavior_dbserver, and configure the action of setting the local
precedence value to 4 for the behavior.
[Device] traffic behavior behavior_dbserver
[Device-behavior-behavior_dbserver] remark local-precedence 4
[Device-behavior-behavior_dbserver] quit
# Create a behavior named behavior_mserver, and configure the action of setting the local
[Device] traffic behavior behavior_mserver
[Device-behavior-behavior_mserver] remark local-precedence 3
[Device-behavior-behavior_mserver] quit
# Create a behavior named behavior_fserver, and configure the action of setting the local
[Device] traffic behavior behavior_fserver
[Device-behavior-behavior_fserver] remark local-precedence 2
[Device-behavior-behavior_fserver] quit
# Create a policy named policy_server, and associate classes with behaviors in the policy.
[Device] qos policy policy_server
[Device-qospolicy-policy_server] classifier classifier_dbserver behavior behavior_dbserver
[Device-qospolicy-policy_server] classifier classifier_mserver behavior behavior_mserver
[Device-qospolicy-policy_server] classifier classifier_fserver behavior behavior_fserver
[Device-qospolicy-policy_server] quit
# Apply the policy named policy_server to the incoming traffic of GigabitEthernet 2/0/1.
[Device-GigabitEthernet2/0/1] qos apply policy policy_server inbound
QoS-Local-ID Marking Configuration Example

QoS-local-ID marking is mainly used for re-classifying packets of multiple classes to perform a uniform
set of actions on them as a re-classified class.
Consider the case of limiting the total rate of packets with source MAC address 0001-0001-0001 and
packets with source IP address 1.1.1.1 to 128 kbps. Without QoS local ID marking, you can only
assign fixed bandwidth to the two classes by associating each of them with a rate-limit traffic behavior.
9-6
With QoS local ID marking, however, traffic limit applies to the two classes as a whole, allowing the
switch to dynamically assign the bandwidth to the two classes depending on their traffic size.
To configure QoS-local-ID marking to limit the total rate of the two classes, you need to mark packets
of the two classes with the same QoS-local-ID; create a class to match the QoS local ID, and associate
this class with the traffic policing action. The configuration procedure is as follows:
# Create ACL 2000 to match packets with source IP address 1.1.1.1.
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 1.1.1.1 0
[Sysname-acl-basic-2000] quit
# Create a class class_a to match both packets with source MAC address 0001-0001-0001 and
packets with source IP 1.1.1.1.
[Sysname] traffic classifier class_a operator or
[Sysname-classifier-class_a] if-match source-mac 1-1-1
[Sysname-classifier-class_a] if-match acl 2000
[Sysname-classifier-class_a] quit
# Create a behavior behavior_a, and configure the action of marking packets with QoS-local-ID 100
for the behavior.
[Sysname] traffic behavior behavior_a
[Sysname-behavior-behavior_a] remark qos-local-id 100
[Sysname-behavior-behavior_a] quit
# Create a class class_b to match packets with QoS-local-ID 100.

[Sysname] traffic classifier class_b
[Sysname-classifier-class_b] if-match qos-local-id 100
[Sysname-classifier-class_b] quit
# Create a behavior behavior_b, and configure the action of limiting traffic rate to 128 kbps for the
behavior.
[Sysname] traffic behavior behavior_b
[Sysname-behavior-behavior_b] car cir 128
[Sysname-behavior-behavior_b] quit
# Create a QoS policy car_policy. In the QoS policy, associate class class_a with behavior
behavior_a, and associate class class_b with behavior behavior_b.
[Sysname] qos policy car_policy
[Sysname-qospolicy-car_policy] classifier class_a behavior behavior_a
[Sysname-qospolicy-car_policy] classifier class_b behavior behavior_b
Apply the QoS policy car_policy to the interface, and you can satisfy the network requirements.
9-7
10
Traffic Redirecting Configuration
When configuring traffic redirecting, go to these sections for information you are interested in:
z
Traffic Redirecting Overview
Configuring Traffic Redirecting
Traffic Redirecting Overview

Traffic redirecting is the action of redirecting the packets matching the specific match criteria to a
certain location for processing.
Currently, the following four traffic redirecting actions are supported:
z
Redirecting traffic to the CPU: redirects packets which require processing by CPU to the CPU.
Redirecting traffic to an interface: redirects packets which require processing by an interface to the
interface. Note that this action is applicable to only Layer 2 packets, and the target interface
should be a Layer 2 interface.
Redirecting traffic to the next hop: redirects packets which require processing by an interface to
the interface. This action is applicable to only Layer 3 packets.
Configuring Traffic Redirecting

Follow these steps to configure traffic redirecting:
To do
Use the command
Remarks
Enter system view
system-view
view
{ and | or } ]
Exit class view
quit
Required

behavior view
redirect { cpu | interface interface-type

Configure a traffic redirecting
action
interface-number | next-hop { ipv4-add1

[ ipv4-add2 ] | ipv6-add1 [ interface-type
Optional
interface-number ] [ ipv6-add2
[ interface-type interface-number ] ] }
Exit behavior view

view
quit
10-1
To do
policy
Exit policy view
Apply the
QoS
Use the command

behavior-name
Remarks
quit
To an interface
To a VLAN
Globally
To the control
plane
plane
policy
Generally, the action of redirecting traffic to the CPU, the action of redirecting traffic to an interface,
and the action of redirecting traffic to the next hop are mutually exclusive with each other in the
same traffic behavior.
You can use the display traffic behavior command to view the traffic redirecting configuration.
A QoS policy that contains a traffic redirecting action can be applied only to the incoming traffic.
To implement QoS policy routing successfully, ensure that the next hop address specified in the
redirect action exist and the outgoing interface is not a tunnel interface. If you fail to do that, the
matching traffic will be dropped.
Support of Line Cards for Traffic Redirecting

Table 10-1 shows the support of line cards for the traffic redirecting action for the inbound and
outbound traffic.
switches.
10-2
Table 10-1 Support of line cards for the traffic redirecting action
Direction(right)
Inbound
Outbound

SC LPU
Supported
Not Supported
SA LPU
Supported
Not Supported
EA LPU
Supported
Not Supported
EB LPU
Supported
Not Supported
SD LPU
Supported
Not Supported
10-3
11
Aggregation CAR Configuration
Aggregation CAR Overview

With aggregation CAR, one CAR is used to rate limit flows on different ports as a whole. If aggregation
CAR is enabled for multiple ports, the total traffic on these ports must conform to the traffic policing
parameters set in the aggregation CAR.
The S7500E series switches implement aggregation CAR with QoS policies.
Only the SD and EB cards support QoS policies that contain aggregation CAR actions.
Referencing an Aggregation CAR in a Traffic Behavior

Configuration prerequisites
z
You have determined the parameters in the aggregation CAR.
You have determined the traffic behavior to reference the aggregation CAR.
Follow these steps to reference an aggregation CAR in a traffic behavior:
To do
Enter system view
Use the command
Remarks
system-view
Required
qos car car-name aggregative cir
z
Configure an aggregation
committed-burst-size [ ebs
CAR action
excess-burst-size ] ] [ pir
granularity of traffic policing is
peek-information-rate ] [ green action ]
64 kbps.
[ yellow action ] [ red action ]

granularity of traffic policing is
8 kbps.
Create a class and enter
class view
{ and | or } ]
11-1
To do
Use the command
Remarks
Exit class view
quit
Enter traffic behavior view
Required
car name car-name
Required
quit
To an interface
To a VLAN
Globally
To the control
plane
plane
Reference the aggregation

CAR in the traffic behavior
Exit policy view
Apply the
QoS
policy
Displaying and Maintaining Aggregation CAR

To do
Use the command
Remarks
Display the statistics for the
display qos car name
Required
specified aggregation CAR
[ car-name ]
Clear the statistics for the specified

aggregation CAR
Required
reset qos car name [ car-name ]
Configure an aggregation CAR to rate-limit the traffic of VLAN 10 and VLAN 100 received on
GigabitEthernet 2/0/1 using these parameters: CIR is 256 kbps, CBS is 2000 bytes, and the action for
red packets is discard.
# Configure an aggregation CAR according to the rate limit requirements.
[Sysname] qos car aggcar-1 aggregative cir 256 cbs 2000 red discard
# Create class 1 to match traffic of VLAN 10; create behavior 1, and reference the aggregation CAR in
the behavior.
[Sysname] traffic classifier 1
[Sysname-classifier-1] if-match customer-vlan-id 10
[Sysname-classifier-1] quit
[Sysname] traffic behavior 1
[Sysname-behavior-1] car name aggcar-1
[Sysname-behavior-1] quit
# Create class 2 to match traffic of VLAN 100; create behavior 2, and reference the aggregation CAR
in the behavior.
[Sysname] traffic classifier 2
11-2
[Sysname-classifier-2] if-match customer-vlan-id 100

[Sysname-classifier-2] quit
[Sysname] traffic behavior 2
[Sysname-behavior-2] car name aggcar-1
[Sysname-behavior-2] quit
# Create QoS policy car, associate class 1 with behavior 1, and associate class 2 with behavior 2.
[Sysname] qos policy car
[Sysname-qospolicy-car] classifier 1 behavior 1
[Sysname-qospolicy-car] classifier 2 behavior 2
[Sysname-qospolicy-car] quit
# Apply the QoS policy to the incoming traffic of GigabitEthernet 2/0/1.

[Sysname] interface GigabitEthernet 2/0/1
[Sysname-GigabitEthernet2/0/1]qos apply policy car inbound
11-3
12
Class-Based Accounting Configuration
When configuring class-based accounting, go to these sections for information you are interested in:
z
Class-Based Accounting Overview
Configuring Class-Based Accounting
Displaying and Maintaining Traffic Accounting
Class-Based Accounting Configuration Example
Class-Based Accounting Overview

Class-based accounting collects statistics on a per-traffic class basis. For example, you can define the
action to collect statistics for traffic sourced from a certain IP address. By analyzing the statistics, you
can determine whether there are anomalies and what action to take.
Configuring Class-Based Accounting

Follow these steps to configure class-based accounting:
To do
Use the command
Remarks
Enter system view
system-view
view
{ and | or } ]
Exit class view
quit
Required

behavior view
Configure the accounting
action
Exit behavior view
view
policy
Exit policy view
Optional
accounting
Traffic is counted in packets.
quit

behavior-name
quit
12-1
To do
Apply the
QoS
Use the command
Remarks
To an interface
To a VLAN
Globally
To the control
plane
plane
policy
Displaying and Maintaining Traffic Accounting

After completing the configuration above, you can verify the configuration with the display qos policy
global, display qos policy interface, or display qos vlan-policy command depending on the
occasion where the QoS policy is applied.

As shown in Figure 12-1, Host is connected to GigabitEthernet 2/0/1 of Device.
Configure class-based accounting to collect statistics for traffic sourced from 1.1.1.1/24 and received
on GigabitEthernet 2/0/1.
Figure 12-1 Network diagram for traffic accounting configuration
# Create basic ACL 2000, and configure a rule to match packets with source IP address 1.1.1.1.
<DeviceA> system-view
[DeviceA] acl number 2000
[DeviceA-acl-basic-2000] rule permit source 1.1.1.1 0
[DeviceA-acl-basic-2000] quit
# Create a class named classifier_1, and reference ACL 2000 in the class.
[DeviceA] traffic classifier classifier_1
[DeviceA-classifier-classifier_1] if-match acl 2000
[DeviceA-classifier-classifier_1] quit
# Create behavior behavior_1, and configure an accounting action in the behavior.

[DeviceA] traffic behavior behavior_1
[DeviceA-behavior-behavior_1] accounting byte
[DeviceA-behavior-behavior_1] quit
12-2
# Create a policy named policy, and associate class classifier_1 with behavior behavior_1 in the
policy.
[DeviceA] qos policy policy
[DeviceA-qospolicy-policy] classifier classifier_1 behavior behavior_1
[DeviceA-qospolicy-policy] quit
# Apply the policy named policy to the incoming traffic of GigabitEthernet 2/0/1.
[DeviceA] interface gigabitethernet 2/0/1
[DeviceA-GigabitEthernet2/0/1] qos apply policy policy inbound
[DeviceA-GigabitEthernet2/0/1] quit
# Display traffic statistics to verify the configuration.

[DeviceA] display qos policy interface gigabitethernet 2/0/1
Interface: GigabitEthernet2/0/1
Direction: Inbound
Policy: policy
Classifier: classifier_1
Operator: AND
Rule(s) : If-match acl 2000
Behavior: behavior_1
Accounting Enable:
16 (Packets)
12-3
13
When configuring QoS in an EPON system, go to these sections for information you are interested in:
z
Configuring QoS in an EPON System

An S7500E switch installed with an OLT card can work as an OLT in an EPON system. For detailed
information about an EPON system, see EPON Configuration and related chapters in Layer 2 - LAN
Switching Configuration Guide.
You can configure QoS for an OLT and ONUs attached to the OLT. To achieve QoS in an EPON
system, you must configure QoS at both the OLT side and the ONU side. The following part introduces
QoS functions that can be configured for uplink traffic and those for the downlink traffic.
QoS Functions for Uplink Traffic

Processing on an ONU
z
Configuring the priority trust mode for an ONU.
Configuring traffic classification for an ONU: the ONU classifies the uplink traffic of a UNI and
marks CoS precedence values for the matching traffic, so that traffic can be put into different
queues.
Filtering the packets matching certain match criteria according to the configured QoS policy.
Configuring the ONU to perform traffic policing for uplink traffic of a UNI.
Configuring the UNI to tag the uplink 802.1q-untagged traffic with the default VLAN tag, and
adding the UNI priority to the Priority field as the 802.1p precedence (CoS precedence).
Configuring the ONU to distribute the uplink traffic to different output queues based on the
mapping between the CoS precedence and local precedence.
Configuring the ONU to perform congestion management for traffic from uplink ports, supporting
SP and WFQ queue scheduling algorithms (available to only H3C ONUs).
Processing on an OLT
z
By default, an OLT port trusts the 802.1p precedence of the packets. You can configure to trust
the DSCP precedence of the packets through the command line. Thus, the OLT will obtain the
CoS precedence based on the mapping between the DSCP precedence and CoS precedence
before mapping the CoS precedence to the corresponding output queue. This configuration
applies to all uplink traffic of ONUs.
Configuring congestion management for uplink ports (supporting SP, WRR, and SP+WRR queue
scheduling algorithms).
Configuring congestion avoidance on an OLT. When the port is congested, received packets are
dropped selectively.
Figure 13-1 shows the QoS model for uplink traffic in an EPON system.
13-4
Figure 13-1 QoS model for uplink traffic in an EPON system
QoS Functions for Downlink Traffic

Processing on an OLT
z
Configuring the OLT to perform priority mapping for packets received from the uplink port
according to the CoS-to-local precedence mapping table and then assign packets to output
queues of the OLT port.
Configuring the OLT to perform congestion management for downlink traffic, supporting SP and
WRR queue scheduling algorithms.
Configuring the OLT to perform line rate and traffic shaping for downlink traffic.
Configuring the maximum downlink bandwidth that the OLT assigns to the ONU.
Configuring high-priority packet buffer for downlink traffic that the OLT sends to the specified
ONU.
Processing on an ONU
z
Filtering the packets matching certain match criteria according to the configured QoS policy.
Configuring the ONU to distribute the received downlink traffic to different output queues based on
the mapping between the CoS precedence and local precedence.
Configuring the ONU to perform traffic policing for downlink traffic of a UNI.
Some ONUs support configuring queue scheduling for traffic from a UNI. To perform such
configurations, you should log in to the ONU. For detailed configuration, see the ONU user manual.
Figure 13-2 shows the QoS model for downlink traffic in an EPON system.
Figure 13-2 QoS model for downlink traffic in an EPON system
13-5
Configuring QoS in an EPON System

QoS Configuration Task List in an EPON System
QoS configurations in an EPON system are the same as those in Ethernet, and the corresponding
configuration commands in OLT port view and ONU port view are the same as those in Ethernet port
view too. For detailed configuration, see the corresponding chapters above.
Table 13-1 and Table 13-2 show how to configure QoS for downlink traffic and uplink traffic in an EPON
system.
Table 13-1 Configure QOS at the OLT side of an EPON system
Reference
QoS at the OLT side

Configure priority mapping on the
Modify the priority mapping on the OLT
OLT
port
Configuring priority trust mode for
Configuring the Priority Trust Mode on
the OLT port
a Port
Configure QoS for uplink
Configure traffic policing for uplink
traffic
traffic of all ONUs (through QoS)
Configure congestion management
on the uplink port

Configure QoS for downlink

traffic
Configure the OLT to perform

priority mapping for traffic received
on an uplink port
Modify the priority mapping on the OLT

port
Configure congestion management
(SP and WRR) on the downlink

OLT port

Configure the high-priority queue
buffer for the specified ONU
Sending buffer size of the OLT port
Configure line rate and traffic
Configuring GTS
shaping for downlink traffic
13-6
Reference
QoS at the OLT side

Assign downlink bandwidth for each
ONU
Assign downlink bandwidth for an ONU
Table 13-2 Configure QoS at the ONU side of an EPON system

QoS at the ONU side
Reference
Configuring traffic classification and

CoS priority marking for incoming
Priority mapping on the UNI
packets on UNIs
Configure QoS for uplink
Configure priority trust mode for the
Configuring the Priority Trust
ONU
Mode on a Port
Configuring traffic policing for uplink
Configure traffic policing for
traffic of a UNI
downlink/uplink traffic of a UNI
Configure congestion management for
the uplink port of an ONU
traffic
Configure the ONU to perform priority

mapping for downlink traffic from the
OLT according to the CoS-to-local
Configure QoS for downlink
traffic
Priority mapping on the ONU port
precedence mapping table
Set the ONU port priority
Configuring the Priority Trust

Mode on a Port
Configuring traffic policing for downlink
traffic of a UNI
downlink/uplink traffic of a UNI
Configuring QoS at the OLT side

Modify the priority mapping on the OLT port
Follow these steps to modify the 802.1p-to-local mapping on the OLT port:
To do
Use the command
Remarks
Enter system view
system-view
Enter OLT port view
Optional
Modify the 802.1p-to-local

mapping on the OLT port for
downlink or uplink traffic
priority-queue-mapping { downstream |
For the default
upstream } { value } &<1-8>
mapping, see Table

14-1.
13-7
Sending buffer size of the OLT port

For traffic to be sent out an OLT port, you can set the priority threshold to identify high-priority traffic
and low-priority traffic. You can set sending buffer to reserve buffer for high-priority queues and thus
decrease the dropping probability of high-priority packets and guarantee QoS for high-priority packet
transmission. The sending buffer does not apply to low-priority queues.
You need to set the buffer parameters for high-priority packets in OLT port view and then enable
high-priority packet buffering for the specified ONU in ONU port view. After the configurations, when
the OLT sends traffic to the specified ONU, high-priority packet buffering is enabled and so that
high-priority packets can be sent preferentially.
You can enable high-priority packet buffering for multiple ONUs, and the OLT will reserve an
independent buffer for each ONU.
Follow these steps to configure rate limiting:
To do
Use the command
Remarks
Enter system view
system-view
Enter OLT port view
Required
The downlink packets
on an OLT port are
considered
high-priority only if
Configure the priority threshold

and enable high-priority packet
buffering
their priority is greater

bandwidth downstream priority-queue priority
high-priority-reserved value
then or equal to the

priority value.
The value argument
is in bytes.
By default, no buffer
is reserved for
high-priority packets.
Return to system view
quit
Enter ONU port view
Optional
Reserve high-priority buffer for

the current ONU
By default, the OLT

bandwidth downstream high-priority enable
reserves no
high-priority buffer for
an ONU.
13-8
High-priority packet buffering takes effect for downlink traffic only when downlink bandwidth allocation
policy is enabled (as shown in Configure traffic policing for downlink/uplink traffic of a UNI).
Assign downlink bandwidth for an ONU

When an S7500E works as an OLT in an EPON system, you can limit the rate at which the OLT port
sends traffic to each ONU, that is, assign downlink bandwidth to each ONU. This function includes two
configurations:
z
Enabling the downlink bandwidth allocation policy.
Configuring the ONU downlink bandwidth range, including the maximum bandwidth and the
maximum burst buffer.
Follow these steps to configure the ONU bandwidth allocation and related parameters:
To do
Enter system view
Enter ONU port view
Use the command
Remarks
system-view
interface-number
Required
Enable the ONU downlink
bandwidth allocation policy
bandwidth downstream policy
and prioritize high-priority
enable
By default, the downlink bandwidth

allocation policy is disabled and
high-priority packets are not
packets
prioritized.
Optional
Configure the ONU downlink
bandwidth limit
bandwidth downstream
By default, the maximum
{ max-bandwidth value |
bandwidth is 999994 kbps, and the
max-burstsize value } *
maximum burst buffer is 8388480

bytes.
The configuration of high-priority packet buffering (as shown in Sending buffer size of the OLT port)
and that of the downlink bandwidth limit take effect only when the downlink bandwidth allocation
policy is enabled.
The configured downlink bandwidth limitation takes effect only on known unicasts, but not on
unknown unicasts, multicasts, or broadcasts.
The sum of the minimum uplink bandwidths configured for all the existing ONU ports under an
OLT port cannot exceed 921600 Kbps, namely, 900 Mbps.
13-9
Configuring QoS at the ONU Side

Priority mapping on the ONU port
When the ONU receives packets on an ONU port, it assigns local precedence to the packets according
to the 802.1p-to-local precedence mapping table. Table 13-3 shows the default 802.1p-to-local
precedence mapping table.
Table 13-3 Default mapping between CoS precedence values and local precedence values
CoS precedence
Local precedence
Follow these steps to configure the mapping between CoS precedence values and local precedence
values:
To do...
Enter system view
Enter ONU port view
Use the command...
Remarks
system-view
interface-number
qos cos-local-precedence-map
cos0-map-local-prec
Configure the mapping
between CoS precedence
values and local precedence
values
cos1-map-local-prec
cos2-map-local-prec
Required
cos3-map-local-prec
For the default mapping, see Table
cos4-map-local-prec
13-3.
cos5-map-local-prec
cos6-map-local-prec
cos7-map-local-prec
Priority mapping on the UNI

You can classify the traffic received on a UNI based on information in the traffic, such as MAC address
and IP address, and then configure different mapping policies for each class of packets. When the
ONU receives packets on a UNI, it determines the actions to perform for packets based on the match
13-10
criteria, VLAN operation mode of the port, and VLAN tagging status of the received packets. For details,
see Table 13-4.
Table 13-4 Relationship between VLAN operation modes and priority remarking
VLAN operation
With or without VLAN
mode
tag
Packet processing
z
In the case of traffic classification based on the source MAC

address/destination MAC address, Ethernet priority, VLAN
ID, or physical port, if the packet matches the configured
traffic classification rule, the packet is priority-remarked with
the value specified in the rule and is then forwarded;
Transparent
With VLAN tag
mode
otherwise, the packet is directly forwarded.

z
In the case of traffic classification based on Ethernet type,

DSCP, IP protocol type, source IP address/destination IP
address, or source L4 port, the packet is forwarded without
any change.
Without VLAN tag
The packet is forwarded without any change.
With VLAN tag
The packet is dropped.

The packet is tagged with the VLAN tag corresponding to the
default PVID of the port, and then:
z
Tag mode
Without VLAN tag
If the packet matches the configured traffic classification

rule, the packet is priority-remarked with the value specified
in the rule and is then forwarded;
Otherwise, the packet is remarked with the port priority and

is then forwarded.
Case 1: The VLAN ID in the VLAN tag matches a VLAN

translation entry on the port. The VLAN ID is replaced with the
VLAN ID corresponding to the entry, and then:
z

Translation mode
With VLAN tag
Otherwise, the packet is directly forwarded.
Case 2: The VLAN ID in the tag is the default VLAN ID of the

port:
z

Otherwise, the packet is directly forwarded.
Case 3: The VLAN ID in the tag does not match any VLAN
translation entry on the port. The packet is dropped.
13-11
VLAN operation
With or without VLAN
mode
tag
Packet processing
The packet is tagged with the VLAN tag corresponding to the

default PVID of the port, and then:
z
Without VLAN tag

Otherwise, the packet is remarked with the port priority and

is then forwarded.
Follow these steps to configure uplink traffic classification and priority remarking for a UNI:
To do...
Use the command...
Remarks
Enter system view
system-view
Enter ONU port view
Configure uplink traffic
uni uni-number classification-marking index index queue
priority remarking for a
qid priority priority { selector operator matched-value }
UNI
&<1-4>
Currently, up to eight rules can be configured for each UNI port on an H3C ONU.
13-12
Required
Table 13-5 Restrictions about the configuration

Item
Restrictions
z
If a source MAC addressbased traffic classification rule and a destination

MAC addressbased traffic classification rule are configured for a UNI port
of an ONU, and if the uplink traffic satisfies both rules, only the destination
MAC addressbased traffic classification rule applies even if the other one
has a higher priority.
The configuration of destination MAC addressbased priority remarking

takes effect globally. Namely, a destination MAC addressbased traffic
classification rule configured for a UNI port of an ONU applies to incoming
traffic from all the other UNI ports of the ONU.
Priority remarking based on

the source MAC address or
destination Mac address
In the case of source MAC addressbased priority remarking for a UNI port,
the ONU adds the source MAC address and the corresponding UNI port
statically into its MAC address table; In the case of destination MAC
addressbased priority remarking for a UNI port, the ONU adds the
destination MAC address and the PON port of the ONU statically into its
MAC address table.
It does not support priority remarking based on the source MAC

addresses/destination MAC addresses that are multicast MAC addresses,
all-0 MAC addresses, broadcast MAC addresses, or the MAC address of
the ONU.

Ethernet priority

VLAN ID
When the VLAN operation mode is set to tag mode for a UNI and the CoS
value in the traffic classification rule is the same as the priority of the UNI, the
traffic classification rule will not take effect.
The configuration of VLAN IDbased priority remarking takes effect globally.
Namely, a VLAN IDbased traffic classification rule configured for a UNI port of
an ONU applies to incoming traffic from all the other UNI ports of the ONU.
z
The configuration of priority remarking based on Ethernet type, DSCP, IP

protocol type, source IP address/destination IP address, or source L4 port
takes effect globally. Namely, such a traffic classification rule configured for
a UNI port of an ONU applies to incoming traffic from all the other UNI ports
of the ONU.

Ethernet type, DSCP, IP
If multiple rules are matched on the same UNI of an ONU, the match
protocol type, source IP
sequence is L3 L4 L2; if the rules are for the same layer, the rule with
address/destination IP
the smallest index has the highest precedence.
address, or source L4 port
The device does not support priority remarking for different UNIs of an ONU
based on the same Ethernet type, DSCP, IP protocol type, source IP
address/destination IP address, or source L4 port.
The device does not support priority remarking based on destination L4

ports.
13-13
For VLAN operation mode introduction and configuration of a UNI, see UNI Port Configuration in the
Layer 2 - LAN Switching Configuration Guide.
Configure traffic policing for downlink/uplink traffic of a UNI

Follow these steps to configure traffic policing for downlink/uplink traffic of a UNI:
To do
Enter system view
Enter ONU port view
Use the command

system-view
interface-number
Remarks
uni uni-number port-policy

{ { inbound { cir cir-value |
Optional
bucket-depth
The CIR should be a multiple of 64.
bucket-depth-value |
By default, traffic policing is not configured
uplink/downlink traffic
extra-burst-size
for a UNI.
ebs-value }* } | outbound
cir cir-value [ pir
Note that: only H3C ONUs support the

outbound keyword.
pir-value ] }
Example for UNI Priority Remarking Configuration

z
Set the uplink bandwidth of the ONU to 50 Mbps.
Configure the VLAN operation mode as transparent for both UNI 1 and UNI 2.
Configure priority remarking for UNI 1: Remark tagged packets sourced from the MAC address of
000A-EB7F-AAAB with CoS 3 precedence.
Configure priority remarking for UNI 2: Remark tagged packets sourced from the MAC address of
001B-EB7F-21AC with CoS 1 precedence.
Network diagram
Figure 13-3 Network diagram for UNI priority remarking configuration
13-14
# Create ONU 3/0/1:1, and bind it to the ONU.
[Sysname] interface olt 3/0/1
[Sysname-Olt3/0/1] using onu 1
[Sysname-Olt3/0/1] quit
[Sysname] interface onu 3/0/1:1
[Sysname-Onu3/0/1:1] bind onuid 000f-e200-0104
# Set the uplink bandwidth of the ONU port to 50 Mbps (64 Kbps 800).
[Sysname-Onu3/0/1:1] upstream-sla minimum-bandwidth 800 maximum-bandwidth 800
# Configure the VLAN operation mode as transparent for UNI 1 and UNI 2.
[Sysname-Onu3/0/1:1] uni 1 vlan-mode transparent
[Sysname-Onu3/0/1:1] uni 2 vlan-mode transparent
For detailed information about ONU uplink bandwidth and VLAN operation mode of a UNI, see ONU
Remote Management Configuration and UNI Port Configuration in the Layer 2 - LAN Switching
Configuration Guide.
# Configure priority remarking for UNI 1 and UNI 2.

[Sysname-Onu3/0/1:1] uni 1 classification-marking index 1 queue 3 priority 3 src-mac equal
000A-EB7F-AAAB
[Sysname-Onu3/0/1:1] uni 2 classification-marking index 1 queue 1 priority 1 src-mac equal
001B-EB7F-21AC
After the configuration above is complete, when two streams (each 50 Mbps) from two UNIs of the
ONU are being forwarded to the OLT, the packets sourced from the MAC address of 001B-EB7F-21AC
are dropped at forwarding congestion on the ONU port, because the queue precedence of these
packets is lower than that of the packets sourced from the MAC address of 000A-EB7F-AAAB.
13-15
14
Appendix A Default Priority Mapping Tables
For the default dot1p-exp, dscp-dscp, and exp-dot1p priority mapping tables, an input value yields a
target value that is equal to it.
Table 14-1 The default dot1p-lp and dot1p-dp priority mapping tables
Input priority value
dot1p-lp mapping
dot1p-dp mapping
Local precedence
802.1p priority (dot1p)
Drop precedence (dp)

(lp)
Table 14-2 The default dscp-dp and dscp-dot1p priority mapping tables
dscp-dp mapping
dscp-dot1p mapping
DSCP
0 to 7
8 to 15
16 to 23
24 to 31
32 to 39
14-1
dscp-dp mapping
dscp-dot1p mapping
DSCP
40 to 47
48 to 55
56 to 63
Table 14-3 The default exp-dp priority mapping tables

exp-dp mapping
EXP value
14-2
15
Appendix B Introduction to Packet Precedences
IP Precedence and DSCP Values

Figure 15-1 ToS and DS fields
As shown in Figure 15-1, the ToS field of the IP header contains eight bits, and the first three bits (0 to
2) represent IP precedence from 0 to 7. According to RFC 2474, the ToS field of the IP header is
redefined as the differentiated services (DS) field, where a DSCP value is represented by the first six
bits (0 to 5) and is in the range 0 to 63. The remaining two bits (6 and 7) are reserved.
Table 15-1 Description on IP precedence

IP precedence (decimal)
IP precedence (binary)
Description
000
Routine
001
priority
010
immediate
011
flash
100
flash-override
101
critical
110
internet
111
network
15-1
Table 15-2 Description on DSCP values

DSCP value (decimal)
DSCP value (binary)
Description
46
101110
ef
10
001010
af11
12
001100
af12
14
001110
af13
18
010010
af21
20
010100
af22
22
010110
af23
26
011010
af31
28
011100
af32
30
011110
af33
34
100010
af41
36
100100
af42
38
100110
af43
001000
cs1
16
010000
cs2
24
011000
cs3
32
100000
cs4
40
101000
cs5
48
110000
cs6
56
111000
cs7
000000
be (default)
802.1p Priority
802.1p priority lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header
analysis is not needed and QoS must be assured at Layer 2.
15-2
Figure 15-2 An Ethernet frame with an 802.1Q tag header
As shown in Figure 15-2, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID,
two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length).
Figure 15-3 presents the format of the 802.1Q tag header. The Priority field in the 802.1Q tag header is
called the 802.1p priority, because its use is defined in IEEE 802.1p. Table 15-3 presents the values for
802.1p priority.
Figure 15-3 802.1Q tag header
Byte 1
Byte 2
Byte 3
TPID (Tag protocol identifier)
Byte 4
TCI (Tag control information)
1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 Priority
CFI
VLAN ID
7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0
Table 15-3 Description on 802.1p priority

802.1p priority (decimal)
802.1p priority (binary)
Description
000
best-effort
001
background
010
spare
011
excellent-effort
100
controlled-load
101
video
110
voice
111
network-management
EXP Values
The EXP field lies in MPLS labels and is used for QoS.
15-3
Figure 15-4 MPLS label structure
As shown in Figure 15-4, the EXP field is 3 bits long and ranges from 0 to 7.
15-4
16
Index
DiffServ Service Model
A
ACL Classification
2-2
Displaying and Maintaining QoS Policies
1-2
3-10
ACL Numbering and Naming 1-3

Application of ACLs on the Switch 1-2
Applying the QoS Policy 3-6
Example for UNI Priority Remarking
Configuration
Best-Effort Service Model 2-1
Introduction to Priority Mapping
Congestion 6-1
4-1
Introduction to WRED Parameters 7-2
Class-Based Accounting Configuration
IntServ Service Model
12-2
Configuration prerequisites
2-2
11-1
1-15
Configure WRR Queuing 6-6
IPv4 Fragments Filtering with ACLs 1-5
Configuring a Basic ACL 1-7
4-5
Line Rate 5-4
1-12
Match Order
13-7
1-3
Configuring QoS at the ONU Side 13-10
Configuring SP Queuing 6-5
Non Policy-Based Configuration
Configuring SP+WRR Queues 6-8

3-1
4-6
Policy-Based Configuration
3-1
Positions of the QoS Techniques in a
4-5
Network
6-6
2-3
Priority Mapping Procedure
Congestion Management Policies 6-2
4-2
Priority Mapping Table and Priority Marking
Copying an ACL 1-14

1-6
4-7
4-1
Priority Marking Configuration Example 9-5
Defining a Class 3-2

Defining a Policy
1-17
Configuring an Advanced ACL 1-9
Configuring QoS at the OLT side
1-5
Introduction to ACL 1-1
Causes, Impacts, and Countermeasures of
Example
13-14
Priority Trust Mode on a Port 4-2

3-5
Defining a Traffic Behavior
Q
3-5
16-1
QoS Configuration Task List in an EPON

System
13-6
QoS Functions for Downlink Traffic 13-5

QoS Functions for Uplink Traffic
13-4
QoS-Local-ID Marking Configuration

Example
9-6
T
Traffic Evaluation and Token Buckets
5-1
Traffic Filtering Configuration Example 8-3

Traffic Policing 5-2
Traffic Shaping 5-3
W
WRED Configuration Approaches 7-2
16-2

ACL and QoS Configuration Guide-Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACL and QoS Configuration Guide-Book

Uploaded by

Copyright:

Available Formats

H3C S7500E Series Ethernet Switches

ACL and QoS

Hangzhou H3C Technologies Co., Ltd.

, IRF, NetPilot, Neocean, NeoVTL,

About the H3C S7500E Documentation Set

Field technical support and servicing engineers

Network administrators working with the S7500E series

Traffic Policing, Traffic

QoS in an EPON System

Square brackets enclose syntax choices (keywords or arguments) that are

Braces enclose a set of required syntax choices separated by vertical bars,

Square brackets enclose a set of optional syntax choices separated by vertical

Asterisk marked braces enclose a set of required syntax choices separated by

Asterisk marked square brackets enclose optional syntax choices separated by

A line that starts with a pound (#) sign is comments.

Multi-level menus are separated by forward slashes. For example,

About the H3C S7500E Documentation Set

Product description and

Describe product specifications and benefits.

Technology white papers

Provide an in-depth description of software features

Describe card specifications, features, and standards.

Provides a complete guide to hardware installation

H3C N68 Cabinet

Guides you through installing and remodeling H3C

H3C Pluggable SFP

Guides you through installing SFP/SFP+/XFP

H3C Mid-Range Series

Describes the hot-swappable modules available for

H3C PoE DIMM Module

Describes how to install the DIMM

Single PoE DIMM

Describes how to install the 24-port DIMM

Describe software features and configuration

Provide a quick reference to all available commands.

Describe typical network scenarios and provide

Provide information about the product release,

Describes the appearance, specifications, LEDs, and

Describes the appearance, specifications, LEDs, and

Describes the appearance, specifications, LEDs, and

Describes the appearance, specifications, LEDs, and

Describes the appearance, specifications, LEDs, and

H3C PWR-SPA Power

Describes the functions and appearance of the H3C

H3C S7500E Power

Guides you to select power modules in various cases.

The type, number, and transmission rate of

4 Priority Mapping Configuration4-1

WRED Configuration Approaches7-2

14 Appendix A Default Priority Mapping Tables 14-1

ACL Configuration Task List

Creating a Time Range

Configuring a Basic ACL

Configuring an Advanced ACL

Configuring an Ethernet Frame Header ACL

Displaying and Maintaining ACLs

ACL Configuration Examples

Application of ACLs on the Switch

ACL Numbering and Naming

Implementing Time-Based ACL Rules

IPv4 Fragments Filtering with ACLs

Application of ACLs on the Switch

Hardware-based application: An ACL is assigned to a piece of hardware. For example, an ACL