HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1566
430
[SwitchA-Vlan-interface101] pim ipv6 sm
[SwitchA-Vlan-interface101] quit
The configuration on Switch B and Switch D is similar to the configuration on Switch A.
# Enable IPv6 multicast routing on Switch C, enable IPv6 PIM-SM on each interface, and enable
MLD on the host-side interface VLAN-interface 200.
system-view
[SwitchC] multicast ipv6 routing-enable
[SwitchC] interface vlan-interface 102
[SwitchC-Vlan-interface102] pim ipv6 sm
[SwitchC-Vlan-interface102] quit
[SwitchC] interface...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1565.png "Page 1566
430
[SwitchA-Vlan-interface101] pim ipv6 sm
[SwitchA-Vlan-interface101] quit
The configuration on Switch B and Switch D is similar to the configuration on Switch A.
# Enable IPv6 multicast routing on Switch C, enable IPv6 PIM-SM on each interface, and enable
MLD on the host-side interface VLAN-interface 200.
system-view
[SwitchC] multicast ipv6 routing-enable
[SwitchC] interface vlan-interface 102
[SwitchC-Vlan-interface102] pim ipv6 sm
[SwitchC-Vlan-interface102] quit
[SwitchC] interface...")
![Page 1567
431
[SwitchA-bgp-af-ipv6-mul] peer 1001::2 enable
[SwitchA-bgp-af-ipv6-mul] import-route direct
[SwitchA-bgp-af-ipv6-mul] quit
[SwitchA-bgp] quit
# On Switch B, configure the IPv6 MBGP peers and redistribute OSPF routes.
[SwitchB] ipv6
[SwitchB] bgp 200
[SwitchB-bgp] router-id 2.2.2.2
[SwitchB-bgp] ipv6-family
[SwitchB-bgp-af-ipv6] peer 1001::1 as-number 100
[SwitchB-bgp-af-ipv6] import-route ospfv3 1
[SwitchB-bgp-af-ipv6] quit
[SwitchB-bgp] ipv6-family multicast
[SwitchB-bgp-af-ipv6-mul]...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1566.png "Page 1567
431
[SwitchA-bgp-af-ipv6-mul] peer 1001::2 enable
[SwitchA-bgp-af-ipv6-mul] import-route direct
[SwitchA-bgp-af-ipv6-mul] quit
[SwitchA-bgp] quit
# On Switch B, configure the IPv6 MBGP peers and redistribute OSPF routes.
[SwitchB] ipv6
[SwitchB] bgp 200
[SwitchB-bgp] router-id 2.2.2.2
[SwitchB-bgp] ipv6-family
[SwitchB-bgp-af-ipv6] peer 1001::1 as-number 100
[SwitchB-bgp-af-ipv6] import-route ospfv3 1
[SwitchB-bgp-af-ipv6] quit
[SwitchB-bgp] ipv6-family multicast
[SwitchB-bgp-af-ipv6-mul]...")
![Page 1570
i
Contents
Configuring ACLs ··················\
··················\
··················\
··················\
··················\
··················\
·· ··················\
··················\
······· 1
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
········· 1
Applications on the switch ··················\
··················\
··················\...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1569.png "Page 1570
i
Contents
Configuring ACLs ··················\
··················\
··················\
··················\
··················\
··················\
·· ··················\
··················\
······· 1
Overview ··················\
··················\
··················\
··················\
··················\
··················\
··················\
···················\
··················\
········· 1
Applications on the switch ··················\
··················\
··················\...")
![Page 1571
ii
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
············· 20
Defining a traffic behavior ··················\
··················\
··················\
··················\
··················\
········· ··················\
··················\
····· 21
Defining a policy ··················\
··················\
··················\
··················\
··················\
··················\...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1570.png "Page 1571
ii
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
············· 20
Defining a traffic behavior ··················\
··················\
··················\
··················\
··················\
········· ··················\
··················\
····· 21
Defining a policy ··················\
··················\
··················\
··················\
··················\
··················\...")
![Page 1572
iii
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
············· 48
Configuration example ··················\
··················\
··················\
··················\
··················\
··············· ··················\
·············· 48
Configuring WRR queuing ··················\
··················\
··················\
··················\
··················\
·············...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1571.png "Page 1572
iii
Configuration procedure ··················\
··················\
··················\
··················\
··················\
············· ··················\
············· 48
Configuration example ··················\
··················\
··················\
··················\
··················\
··············· ··················\
·············· 48
Configuring WRR queuing ··················\
··················\
··················\
··················\
··················\
·············...")
![Page 1573
iv
Data buffer configuration approaches ··················\
··················\
··················\
··················\
··················\
··················\
············· 73
Using the burst function to configure the data buffer setup ··················\
··················\
··················\
············· ··················\
·· 74
Manually configuring th e data buffer setup ··················\
··················\
··················\
··················\
············ ··················\
··········...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1572.png "Page 1573
iv
Data buffer configuration approaches ··················\
··················\
··················\
··················\
··················\
··················\
············· 73
Using the burst function to configure the data buffer setup ··················\
··················\
··················\
············· ··················\
·· 74
Manually configuring th e data buffer setup ··················\
··················\
··················\
··················\
············ ··················\
··········...")
ii Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 20 Defining a traffic behavior ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ····· 21 Defining a policy ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··········· 22 Configuration restrictions and guidelines ··················\ ··················\ ··················\ ··················\ ············· ··················\ ···· 22 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 22 Applying the QoS policy ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ················· 22 Applying the QoS policy to an interface ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ··· 23 Applying the QoS policy to online users ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ··· 23 Applying the QoS policy to a VLAN ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······· 24 Applying the QoS policy globally ·················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ······· 24 Applying the QoS policy to the control plane··················\ ··················\ ··················\ ··················\ ··········· ················· 25 Displaying and mainta ining QoS policies ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ········· 25 Configuring prio rity mapping ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··············· 27 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ······ 27 Types of priorities ··················\ ··················\ ··················\ ··················\ ··················\ ················· ··················\ ··················\ ··· 27 Priority mapping tables ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··········· 27 Priority trust mode on a port ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· 28 Priority mapping procedure ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ··········· 28 Configuration guidelines ··················\ ··················\ ··················\ ··················\ ··················\ ············ ··················\ ··················\ ····· 29 Configuring a priority mapping table ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·············· 29 Configuring a port to trust packet priority for priority mapping ··················\ ··················\ ··················\ ········ ················· 30 Changing the port priori ty of an interface ··················\ ··················\ ··················\ ··················\ ············ ··················\ ············ 30 Displaying priority mappings ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ · 31 Priority trust mode configuration example ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············ 31 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 31 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 32 Priority mapping table and priority marking configuration example ··················\ ··················\ ··················\ ······· ·········· 32 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 32 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 33 Configuring traffic policing, tr affic shaping, and line rate ·················\ ··················\ ··················\ ············· ··················\ · 35 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ······ 35 Traffic evaluation and token buckets ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······· 35 Traffic policing ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ··················\ ····· 36 Traffic shaping ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ···· 37 Line rate ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ ········· 38 Configuring traffic policing ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ ····· 39 Configuration restrictions and guidelines ··················\ ··················\ ··················\ ··················\ ············· ··················\ ···· 39 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 39 Configuring GTS ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ········· 40 Configuring the line rate ··················\ ··················\ ··················\ ··················\ ··················\ ··········· ··················\ ··················\ ······ 40 Displaying and maintaining traffic policing, GTS, and line rate ··················\ ··················\ ··················\ ········· ··············· 41 Traffic policing conf iguration example ··················\ ··················\ ··················\ ··················\ ················ ··················\ ·············· 41 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 41 Configuration procedures ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······· 42 Configuring congestion management ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ······· 44 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ······ 44 Congestion management techniques ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ··········· 44 SP queuing ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ ····· 45 WRR queuing ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··················\ ·· 45 WFQ queuing ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··················\ · 47 SP+WRR queuing ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ················ 47 SP+WFQ queuing ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···· ··················\ ··············· 48 Configuring SP queuing ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ··················\ ···· 48
iii Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 48 Configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ·············· 48 Configuring WRR queuing ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ · 49 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 49 Configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ·············· 49 Configuring WFQ queuing ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ 50 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 50 Configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ·············· 51 Configuring SP+WRR queuing ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ··············· 52 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 52 Configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ·············· 52 Configuring SP+WFQ queuing ··················\ ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ·············· 53 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 53 Configuration example ··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ·············· 54 Configuring congestion avoidance (available only on the 5500 EI) ··················\ ··················\ ··················\ ········ ······· 55 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ······ 55 Tail drop ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···························\ ··················\ ········ 55 RED and WRED ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ················· 55 Introduction to WRED configuration ··················\ ··················\ ··················\ ··················\ ··················\ ·· ··················\ ·············· 56 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 56 Configuration examples··················\ ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ············· 57 Displaying and maintaining WRED ··················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ············ 57 Configuring traffic filtering ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··················\ ··· 58 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ···· 58 Traffic filtering configuration example ··················\ ··················\ ··················\ ··················\ ··············· ··················\ ················ 59 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 59 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 59 Configuring priority marking ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ······· 60 Color-based priority marking ··················\ ··················\ ··················\ ··················\ ··················\ ········ ··················\ ··················\ ·· 60 Coloring a packet ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ · ··················\ ··················\ 60 Marking packets based on their colors ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· 60 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ···· 61 Local precedence re-marking configuration example ··················\ ··················\ ··················\ ··················\ ····· ··················\ · 62 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 62 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 62 Configuring traffic redirecting ··················\ ··················\ ··················\ ··················\ ··················\ ····· ··················\ ··················\ 65 Configuration restrictio ns and guidelines ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 65 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ···· 65 Redirect-to-next hop configuration example ··················\ ··················\ ··················\ ··················\ ············ ··················\ ·········· 66 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 66 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 67 Configuring class-based accounting ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 69 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ···· 69 Displaying and maintainin g traffic accounting ··················\ ··················\ ··················\ ··················\ ········· ··················\ ········ 69 Class-based accounting configuration example ··················\ ··················\ ··················\ ··················\ ·········· ··················\ ····· 70 Network requirements ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 70 Configuration procedure ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ············· 70 Configuring the data bu ffer ··················\ ··················\ ··················\ ··················\ ··················\ ········· ··················\ ··················\ 72 Overview ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ···················\ ··················\ ······ 72 Data buffer ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ·························\ ··················\ ······ 72 Data buffer allocation ··················\ ··················\ ··················\ ··················\ ··················\ ·············· ··················\ ················· 72
iv Data buffer configuration approaches ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 73 Using the burst function to configure the data buffer setup ··················\ ··················\ ··················\ ············· ··················\ ·· 74 Manually configuring th e data buffer setup ··················\ ··················\ ··················\ ··················\ ············ ··················\ ·········· 74 Manually configurin g the data buffer ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ····· 74 Configuring the cell resource ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ············ 74 Configuring the packet resource··················\ ··················\ ··················\ ··················\ ··················\ ······ ··················\ ········ 76 Applying the data buffer settings ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· 76 Appendix A Default priority mapping tables ··················\ ··················\ ··················\ ··················\ ············ ··················\ ····· 77 Uncolored priority mapping tables ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··············· 77 Appendix B Packet precedences ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··········· 78 IP precedence and DSCP values ··················\ ··················\ ··················\ ··················\ ··················\ ······· ··················\ ··············· 78 802.1p priority ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ··· ··················\ ··················\ ··········· 79 Index ··················\ ··················\ ··················\ ··················\ ··················\ ··················\ ············· ··················\ ··················\ ·············· 81
1 Configuring ACLs • Unless otherwise stated, ACLs refer to both IP v4 and IPv6 ACLs throughout this document. • The term interface i n t h e ro u t i n g f e a t u r e s r e f e r s t o V L A N i n t e r f a c e s , b r i d g e m o d e ( L a ye r 2 ) a n d r o u t e mode (Layer 3) Ethernet ports. You can set an Ethernet port to operate in route mode by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide ). 5500 SI Switch Series does not support Layer 3 Ethernet ports. Overview An access control list (ACL) is a set of rules (or perm it or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number. ACLs are primarily used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also used by many modules, QoS and IP routing for example, for traffic classification and identification. Applications on the switch An ACL is implemented in hardware or software, depend ing on the module that uses it. If the module, the packet filter or QoS module for example, is implem ented in hardware, the ACL is applied to hardware to process traffic. If the module, the routing or user interface access control module (Telnet, SNMP, or web) for example, is implemented in software, the ACL is applied to software to process traffic. The user interface access control module denies packe ts that do not match any ACL. Some modules, QoS for example, ignore the permit or deny action in ACL rules and do not base their drop or forwarding decisions on the action set in ACL rules. See the specified module for information about ACL application. ACL categories Category ACL number IP version Match criteria Basic ACLs 2000 to 2999 IPv4 Source IPv4 address IPv6 Source IPv6 address Advanced ACLs 3000 to 3999 IPv4 Source IPv4 address, destinat ion IPv4 address, packet priority, protocols over IPv4, and other Layer 3 and Layer 4 header fields IPv6 Source IPv6 address, destinat ion IPv6 address, packet priority, protocols over IPv6, and other Layer 3 and Layer 4 header fields Ethernet frame header ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields, such as source and destination MAC addresses, 802.1p priority, and link layer protocol type
2 Numbering and naming ACLs Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a number. In addition, you can assign the ACL a name for ease of identification. After creating an ACL with a name, you cannot rename it or delete its name. For an Ethernet frame header ACL, the ACL number and name must be globally unique. For an IPv4 basic or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs, and for an IPv6 basic or advanced ACL, its ACL number and name must be unique among all IPv6 ACLs. You can assign an IPv4 ACL and an IPv6 ACL the same number and name. Match order The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order. The following ACL match orders are available: • config —Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. If you use this approach, carefully check the rules and their order. • auto —Sorts ACL rules in depth-first order. Depth-first ordering guarantees that any subset of a rule is always matched before the rule. Tabl e 1 lists the sequence of tie breakers that depth-first ordering uses to sort rules for each type of ACL. Table 1 Sort ACL rules in depth-first order ACL cate gory Sequence of tie breakers IPv4 basic ACL 1. VPN instance 2. More 0s in the source IP address wildcard (more 0s means a narrower IP address range) 3. Rule configured earlier IPv4 advanced ACL 1. VPN instance 2. Specific protocol type rather than IP (IP represents any protocol over IP) 3. More 0s in the source IP address wildcard mask 4. More 0s in the destination IP address wildcard 5. Narrower TCP/UDP service port number range 6. Rule configured earlier IPv6 basic ACL 1. VPN instance 2. Longer prefix for the source IP address (a longer prefix means a narrower IP address range) 3. Rule configured earlier IPv6 advanced ACL 1. VPN instance 2. Specific protocol type rather than IP (IP represents any protocol over IPv6) 3. Longer prefix for the source IPv6 address 4. Longer prefix for the destination IPv6 address 5. Narrower TCP/UDP service port number range 6. Rule configured earlier
3 ACL category Sequence of tie breakers Ethernet frame header ACL 7. More 1s in the source MAC address mask (more 1s means a smaller MAC address) 8. More 1s in the destination MAC address mask 9. Rule configured earlier A wildcard mask, also called an inverse mask, is a 32-bit binary and represented in dotted decimal notation. In contrast to a network mask, the 0 bits in a wildcard mask represent do care bits, and the 1 bits represent don’t care bits. If the do care bits in an IP address are identical to the do care bits in an IP address criterion, the IP address matches the criterion. All don’t care bits are ignored. The 0s and 1s in a wildcard mask can be noncontiguous. For example, 0.255.0.255 is a valid wildcard mask NOTE: Only 5500 EI Switch Series supports VPN instance configuration in an ACL rule. . ACL rule comments and rule range remarks You can add a comment about an ACL rule to make it easy to understand. The rule comment appears below the rule statement. You can also add a rule range remark to indicate the start or end of a range of rules created for the same purpose. A rule range remark always appears above the specified ACL rule. If the specified rule has not been created yet, the position of the comment in the ACL is as follows: • If the match order is config, the remark is inserted into the ACL in descending order of rule ID. • If the match order is auto, the remark is placed at the end of the ACL. After you create the rule, the remark appears above the rule. For more information about how to use rule range remarks, see the rule remark command in ACL and QoS Command Reference for your device. ACL rule numbering What is the ACL rule numbering step If you do not assign an ID to the rule you are creating, the system automatically assigns it a rule ID. The rule numbering step sets the increment by which the system automatically numbers rules. For example, the default ACL rule numbering step is 5. If you do not assign IDs to rules you are creating, they are automatically numbered 0, 5, 10, 15, and so on. The wider the numbering step, the more rules you can insert between two rules. By introducing a gap between rules rather than contiguously numbering rules, you have the flexibility of inserting rules in an ACL. This feature is importan t for a config order ACL, where ACL rules are matched in ascending order of rule ID. Automatic rule numbering and renumbering The ID automatically assigned to an ACL rule takes th e nearest higher multiple of the numbering step to the current highest rule ID, starting with 0. For example, if the numbering step is 5 (the default) , and there are five ACL rules numbered 0, 5, 9, 10, and 12, the newly defined rule is numbered 15. If th e ACL does not contain any rule, the first rule is numbered 0.
4 Whenever the step changes, the rules are renumbered, starting from 0. For example, if there are five rules numbered 5, 10, 13, 15, and 20, changing the step from 5 to 2 causes the rules to be renumbered 0, 2, 4, 6, and 8. Fragments filtering with ACLs Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks. To avoids the risks, the HP ACL implementation: • Filters all fragments by default, including non-first fragments. • Allows for matching criteria modification, for example, filters non-first fragments only. ACL configuration task list Task Remarks Configuring a time range Optional Applicable to IPv4 and IPv6 ACLs. Configuring a basic ACL Required Configure at least one task. Applicable to IPv4 and IPv6 except that simple ACLs are for IPv6. Configuring an advanced ACL Configuring an Ethernet frame header ACL Copying an ACL Optional Applicable to IPv4 and IPv6. Packet filtering with ACLs Optional Applicable to IPv4 and IPv6. Configuring a time range You can implement ACL rules based on the time of day by applying a time range to them. A time-based ACL rule only takes effect in any time periods specified by the time range. The following basic types of time range are available: • Pe riodic tim e rang e —Recurs periodically on a day or days of the week. • Absolute time range —Represents only a period of time and does not recur. You can create a maximum of 256 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements. The active period of a time range is calculated as follows: 1. Combining all periodic statements. 2. Combining all absolute statements. 3. Taking the intersection of the two statement se ts as the active period of the time range. To configure a time range: Step Command Remarks 1. Enter system view. system-view N/A
5
Step Command Remarks
2. Configure a time
range. time-range
time-range-name
{ start-time to end-time days [ from
time1 date1 ] [ to time2 date2 ] |
from time1 date1 [ to time2 date2 ]
| to time2 date2 } By default, no time range exists.
Repeat this command with the same time
range name to create multiple statements for
a time range.
Configuring a basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an IPv4 basic ACL:
Step
Command Remarks
1. Enter system view.
system-view N/A
2. Create an IPv4
basic ACL and
enter its view. acl number
acl-number
[ name acl-name ]
[ match-order { auto |
config } ] By default, no ACL exists.
IPv4 basic ACLs are numbered
in the range of 2000 to
2999.
You can use the acl name acl-name command to enter
the view of a named IPv4 ACL.
3. Configure a
description for the
IPv4 basic ACL. description
text Optional.
By default, an IPv4 basic
ACL has no ACL description.
4. Set the rule
numbering step. step
step-value Optional.
The default setting is 5.
5.
Create or edit a
rule. rule
[ rule-id ] { deny |
permit } [ counting |
fragment | logging |
source { sour-addr
sour-wildcard | any } |
time-range
time-range-name |
vpn-instance
vpn-instance-name ] * By default, an IPv4 basic ACL does not contain any rule.
The
vpn-instance vpn-instanced-name option is not
available on a 5500 SI switch.
If the ACL is for QoS traffic classification or packet
filtering, do not specify the vpn-instance keyword. This
keyword can cause ACL application failure. The
logging and counting keywords (even if specified) do
not take effect for QoS policies.
6. Add or edit a rule
comment. rule
rule-id comment text Optional.
By default, no rule comments are configured.
7. Add or edit a rule
range remark. rule
[ rule-id ] remark text Optional.
By default, no rule rang e remarks are configured.
8. Enable counting
ACL rule matches
performed in
hardware. hardware-count enable Optional.
Disabled by default.
When the ACL is referenced by a QoS policy, this
command does not take effect.
6
Configuring an IPv6 basic ACL
To configure an IPv6 basic ACL:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an IPv6
basic ACL view
and enter its view. acl ipv6 number
acl6-number [ name
acl6-name ] [ match-order
{ auto | config } ] By default, no ACL exists.
IPv6 basic ACLs are numbered in the range of 2000
to 2999.
You can use the
acl ipv6 name acl6-name command
to enter the view of a named IPv6 ACL.
3. Configure a
description for the
IPv6 basic ACL. description
text Optional.
By default, an IPv6 basic ACL has no ACL
description.
4.
Set the rule
numbering step. step
step-value Optional.
The default setting is 5.
5.
Create or edit a
rule. rule
[ rule-id ] { deny |
permit } [ counting |
fragment | logging |
routing [ type routing-type ]
| source { ipv6-address
prefix-length |
ipv6-address/ prefix-length
| any } | time-range
time-range-name |
vpn-instance
vpn-instance-name ] * By default, an IPv6 basic ACL does not contain any
rule.
The vpn-instance
vpn-instance-name option is not
available on a 5500 SI switch.
If the ACL is for QoS traffic classification or packet
filtering, do not specify the fragment , routing, and
vpn-instance keywords. The keywords can cause ACL
application failure.
The logging and counting keywords (even if
specified) do not take effect for QoS.
6. Add or edit a rule
comment. rule
rule-id comment text Optional.
By default, no rule comments are configured.
7. Add or edit a rule
range remark. rule
[ rule-id ] remark text Optional.
By default, no rule rang
e remarks are configured.
8. Enable counting
ACL rule matches
performed in
hardware. hardware-count enable Optional.
Disabled by default.
When the ACL is referenced by a QoS policy, this
command does not take effect.
Configuring an advanced ACL
Configuring an IPv4 advanced ACL
IPv4 advanced ACLs match packets based on source
IP addresses, destination IP addresses, packet
priorities, protocols over IP, and other protocol header information, such as TCP/UDP source and
destination port numbers, TCP flags, ICMP message types, and ICMP message codes.
Compared to IPv4 basic ACLs, IPv4 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv4 advanced ACL:
7
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an IPv4
advanced ACL
and enter its
view. acl number
acl-number [ name
acl-name ] [ match-order { auto
| config } ] By default, no ACL exists.
IPv4 advanced ACLs are numbered in the range of
3000 to 3999.
You can use the
acl name acl-name command to
enter the view of a named IPv4 ACL.
3. Configure a
description for
the IPv4
advanced ACL. description
text Optional.
By default, an IPv4 ad
vanced ACL has no ACL
description.
4. Set the rule
numbering step. step
step-value Optional.
The default setting is 5.
5.
Create or edit a
rule. rule
[ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established } |
counting | destination
{ dest-addr dest-wildcard | any }
| destination-port operator
port1 [ port2 ] | dscp dscp |
fragment | icmp-type
{ icmp-type [ icmp-code ] |
icmp-message } | logging |
precedence precedence |
source { sour-addr sour-wildcard
| any } | source-port operator
port1 [ port2 ] | time-range
time-range-name | tos tos |
vpn-instance
vp
n-instance-name ] * By default, an IPv4 advanced ACL does not
contain any rule.
The vpn-instance
vpn-instance-name option is not
available on a 5500 SI switch.
If an IPv4 advanced ACL is for QoS traffic
classification or packet filtering, do not specify the
vpn-instance keyword or specify neq for the
operator argument.
The logging and counting keywords (even if
specified) do not take effect for QoS traffic
classification.
6. Add or edit a
rule comment. rule
rule-id comment text Optional.
By default, no rule comments are configured.
7. Add or edit a
rule range
remark. rule
[ rule-id ] remark text Optional.
By default, no rule range remarks are configured.
8.
Enable counting
ACL rule
matches
performed in
hardware. hardware-count enable
Optional.
Disabled by default.
When the ACL is referenced by a QoS policy, this
command does not take effect.
Configuring an IPv6 advanced ACL
IPv6 advanced ACLs match packets based on the source IPv6 addresses, destination IPv6 addresses,
packet priorities, protocols carried over IPv6, and
other protocol header fields such as the TCP/UDP
source port number, TCP/UDP destination port nu mber, ICMPv6 message type, and ICMPv6 message
code.