HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1578
5
Step Command Remarks
2. Configure a time
range. time-range
time-range-name
{ start-time to end-time days [ from
time1 date1 ] [ to time2 date2 ] |
from time1 date1 [ to time2 date2 ]
| to time2 date2 } By default, no time range exists.
Repeat this command with the same time
range name to create multiple statements for
a time range.
Configuring a basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1577.png "Page 1578
5
Step Command Remarks
2. Configure a time
range. time-range
time-range-name
{ start-time to end-time days [ from
time1 date1 ] [ to time2 date2 ] |
from time1 date1 [ to time2 date2 ]
| to time2 date2 } By default, no time range exists.
Repeat this command with the same time
range name to create multiple statements for
a time range.
Configuring a basic ACL
Configuring an IPv4 basic ACL
IPv4 basic ACLs match packets based only on source IP addresses.
To configure an...")
![Page 1579
6
Configuring an IPv6 basic ACL
To configure an IPv6 basic ACL:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an IPv6
basic ACL view
and enter its view. acl ipv6 number
acl6-number [ name
acl6-name ] [ match-order
{ auto | config } ] By default, no ACL exists.
IPv6 basic ACLs are numbered in the range of 2000
to 2999.
You can use the
acl ipv6 name acl6-name command
to enter the view of a named IPv6 ACL.
3. Configure a
description for the
IPv6...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1578.png "Page 1579
6
Configuring an IPv6 basic ACL
To configure an IPv6 basic ACL:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an IPv6
basic ACL view
and enter its view. acl ipv6 number
acl6-number [ name
acl6-name ] [ match-order
{ auto | config } ] By default, no ACL exists.
IPv6 basic ACLs are numbered in the range of 2000
to 2999.
You can use the
acl ipv6 name acl6-name command
to enter the view of a named IPv6 ACL.
3. Configure a
description for the
IPv6...")
![Page 1580
7
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an IPv4
advanced ACL
and enter its
view. acl number
acl-number [ name
acl-name ] [ match-order { auto
| config } ] By default, no ACL exists.
IPv4 advanced ACLs are numbered in the range of
3000 to 3999.
You can use the
acl name acl-name command to
enter the view of a named IPv4 ACL.
3. Configure a
description for
the IPv4
advanced ACL. description
text Optional.
By default, an IPv4 ad
vanced...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1579.png "Page 1580
7
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an IPv4
advanced ACL
and enter its
view. acl number
acl-number [ name
acl-name ] [ match-order { auto
| config } ] By default, no ACL exists.
IPv4 advanced ACLs are numbered in the range of
3000 to 3999.
You can use the
acl name acl-name command to
enter the view of a named IPv4 ACL.
3. Configure a
description for
the IPv4
advanced ACL. description
text Optional.
By default, an IPv4 ad
vanced...")
![Page 1581
8
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:
Step Command Remarks
1. Enter system
view. system-view
N/A
2. Create an IPv6
advanced ACL
and enter its
view. acl ipv6
number acl6-number
[ name acl6-name ]
[ match-order { auto | config } ]
By default, no ACL exists.
IPv6 advanced ACLs are numbered in the range of
3000 to 3999.
You can use the acl ipv6 name acl6-name command
to enter the...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1580.png "Page 1581
8
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:
Step Command Remarks
1. Enter system
view. system-view
N/A
2. Create an IPv6
advanced ACL
and enter its
view. acl ipv6
number acl6-number
[ name acl6-name ]
[ match-order { auto | config } ]
By default, no ACL exists.
IPv6 advanced ACLs are numbered in the range of
3000 to 3999.
You can use the acl ipv6 name acl6-name command
to enter the...")
![Page 1582
9
Configuring an Ethernet frame header ACL
Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol
header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
To configure an Ethernet frame header ACL:
Step Command Remarks
1. Enter system
view. system-view N/A
2.
Create an
Ethernet frame
header ACL
and enter its
view. acl number
acl-number
[ name acl-name ]
[...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1581.png "Page 1582
9
Configuring an Ethernet frame header ACL
Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol
header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
To configure an Ethernet frame header ACL:
Step Command Remarks
1. Enter system
view. system-view N/A
2.
Create an
Ethernet frame
header ACL
and enter its
view. acl number
acl-number
[ name acl-name ]
[...")
![Page 1585
12
Task Command Remarks
Display the configuration and
status of one or all time ranges. display time-range
{ time-range-name | all }
[ | { begin | exclude | include }
regular-expression ] Available in any view
Clear statistics for one or all IPv4
ACLs.
reset
acl counter { acl-number | all | name
acl-name } Available in user view
Clear statistics for one or all IPv6
basic and advanced ACLs. reset
acl ipv6 counter { acl6-number | all |
name acl6-name } Available in user...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1584.png "Page 1585
12
Task Command Remarks
Display the configuration and
status of one or all time ranges. display time-range
{ time-range-name | all }
[ | { begin | exclude | include }
regular-expression ] Available in any view
Clear statistics for one or all IPv4
ACLs.
reset
acl counter { acl-number | all | name
acl-name } Available in user view
Clear statistics for one or all IPv6
basic and advanced ACLs. reset
acl ipv6 counter { acl6-number | all |
name acl6-name } Available in user...")
![Page 1586
13
[Switch] time-range telnet 8:30 to 18:00 working-day
# Create IPv4 basic ACL 2000, and configure a rule for the ACL to permit the packets sourced
from 10.1.3.1 during only the time specified by time range telnet.
[Switch] acl number 2000
[Switch-acl-basic-2000] rule permit source 10.1.3.1 0 time-range telnet \
[Switch-acl-basic-2000] quit
# Apply ACL 2000 to the inbound traffic of all telnet user interfaces to limit the telnet login
requests.
[Switch] user-interface vty 0 4...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1585.png "Page 1586
13
[Switch] time-range telnet 8:30 to 18:00 working-day
# Create IPv4 basic ACL 2000, and configure a rule for the ACL to permit the packets sourced
from 10.1.3.1 during only the time specified by time range telnet.
[Switch] acl number 2000
[Switch-acl-basic-2000] rule permit source 10.1.3.1 0 time-range telnet \
[Switch-acl-basic-2000] quit
# Apply ACL 2000 to the inbound traffic of all telnet user interfaces to limit the telnet login
requests.
[Switch] user-interface vty 0 4...")
8
Compared to IPv6 basic ACLs, IPv6 advanced ACLs allow more flexible and accurate filtering.
To configure an IPv6 advanced ACL:
Step Command Remarks
1. Enter system
view. system-view
N/A
2. Create an IPv6
advanced ACL
and enter its
view. acl ipv6
number acl6-number
[ name acl6-name ]
[ match-order { auto | config } ]
By default, no ACL exists.
IPv6 advanced ACLs are numbered in the range of
3000 to 3999.
You can use the acl ipv6 name acl6-name command
to enter the view of a named IPv6 ACL.
3. Configure a
description for
the IPv6
advanced ACL. description
text Optional.
By default, an IPv6 advanced ACL has no ACL
description.
4.
Set the rule
numbering
step. step
step-value Optional.
5 by default.
5.
Create or edit a
rule. rule
[ rule-id ] { deny | permit }
protocol [ { { ack ack-value | fin
fin-value | psh psh-value | rst
rst-value | syn syn-value | urg
urg-value } * | established } |
counting | destination { dest
dest-prefix | dest/dest-prefix |
any } | destination-port
operator port1 [ port2 ] | dscp
dscp | flow-label
flow-label-value | fragment |
icmp6-type { icmp6-type
icmp6-code | icmp6-message }
| logging | routing [ type
routing-type ] | source { source
source-prefix |
source/source-prefix | any } |
source-port operator port1
[ port2
] | time-range
time-range-name | vpn-instance
vpn-instance-name ] * By default IPv6 advanced
ACL does not contain any
rule.
The vpn-instance vpn-instance-name option is not
available on a 5500 SI switch.
If an IPv6 advanced ACL is for QoS traffic
classification or packet filtering:
• Do not specify the fragment, routing , or
vpn-instance keyword, or specify neq for the
operator argument.
• Do not specify the flow-label keyword if the ACL
is for outbound QoS traffic classification or
outbound packet filtering on a 5500 EI switch.
The logging and counting keywords (even if
specified) do not take effect for QoS traffic
classification.
6. Add or edit a
rule comment. rule
rule-id comment text Optional.
By default, no rule comments are configured.
7. Add or edit a
rule range
remark. rule
[ rule-id ] remark text Optional.
By default, no rule rang
e remarks are configured.
8. Enable
counting ACL
rule matches
performed in
hardware. hardware-count enable
Optional.
Disabled by default.
When the ACL is referenced by a QoS policy, this
command does not take effect.
9
Configuring an Ethernet frame header ACL
Ethernet frame header ACLs, also called Layer 2 ACLs, match packets based on Layer 2 protocol
header fields, such as source MAC address, destination MAC address, 802.1p priority (VLAN priority),
and link layer protocol type.
To configure an Ethernet frame header ACL:
Step Command Remarks
1. Enter system
view. system-view N/A
2.
Create an
Ethernet frame
header ACL
and enter its
view. acl number
acl-number
[ name acl-name ]
[ match-order { auto |
config } ] By default, no ACL exists.
Ethernet frame header ACLs are numbered in the
range of 4000 to 4999.
You can use the
acl name acl-name command to enter
the view of a named Ethernet frame header ACL.
3. Configure a
description for
the Ethernet
frame header
ACL. description
text Optional.
By default, an Ethernet frame header ACL has no ACL
description.
4.
Set the rule
numbering
step. step
step-value Optional.
The default setting is 5.
5.
Create or edit a
rule. rule
[ rule-id ] { deny |
permit } [ cos vlan-pri |
counting | dest-mac
dest-addr dest-mask | { lsap
lsap-type lsap-type-mask |
type protocol-type
protocol-type-mask } |
source-mac sour-addr
source-mask | time-range
time-range-name ] * By default
, an Ethernet frame header ACL does not
contain any rule.
If the ACL is for QoS traffic classification or packet
filtering, to use the lsap keyword, the lsap-type
argument must be AAAA, and the lasp-type-mask
argument must be FFFF. Otherwise, the ACL cannot be
function normally.
6. Add or edit a
rule comment. rule
rule-id comment text Optional.
By default, no rule comments are configured.
7. Add or edit a
rule range
remark. rule
[ rule-id ] remark text Optional.
By default, no rule rang
e remarks are configured.
8. Enable
counting ACL
rule matches
performed in
hardware. hardware-count enable
Optional.
Disabled by default.
When the ACL is referenced by a QoS policy, this
command does not take effect.
Copying an ACL
You can create an ACL by copying an existing ACL (source ACL) . The new ACL (destination ACL) has the
same properties and content as the source AC
L, but not the same ACL number and name.
10
To successfully copy an ACL, make sure that:
• The destination ACL number is from the same category as the source ACL number.
• The source ACL already exists but the destination ACL does not.
Copying an IPv4 ACL
Step Command
1. Enter system view.
system-view
2. Copy an existing IPv4 ACL to create a
new IPv4 ACL. acl copy
{ source-acl-number | name source-acl-name } to
{ dest-acl-number | name dest-acl-name }
Copying an IPv6 ACL
Step Command
1. Enter system view.
system-view
2. Copy an existing IPv6 ACL to generate a
new one of the same category. acl ipv6 copy {
source-acl6-number | name
source-acl6-name } to { dest-acl6-number | name
dest-acl6-name }
Packet filtering with ACLs
Yo u c a n u s e a n A C L t o f i l t e r i n c o m i n g o r o u t g o i n g I P v 4 o r I P v 6 p a c k e t s . Yo u c a n a p p l y o n e I P v 4 A C L , o n e
IPv6 AL, and one Ethernet frame header ACL most to filter packets in the same direction of an interface.
W i t h a b a s i c o r a d v a n c e d AC L , y o u c a n l o g f i l t e r i n g e v e n t s b y s p e c i f yi n g t h e logging keyword in the ACL
rules and enabling the counting function. To enable counting for rule matches performed in hardware,
configure the hardware-count enable command for the ACL or specify the counting keyword in the ACL
rules.
You can set the packet filter to periodically send packet filtering logs to the information center as
informational messages. The interval for generating an d outputting packet filtering logs is configurable.
The log information includes the number of matching packets and the ACL rules used in an interval. For
more information about the information center, see Network Management and Monitoring
Configuration Guide .
NOTE:
ACLs on VLAN interfaces filter only packets forwarded at Layer 3.
Applying an IPv4 or Ethern et frame header ACL for packet
filtering
Step Command Remarks
1. Enter system view.
system-view N/A
11
Step Command Remarks
2. Enter interface view. interface
interface-type
interface-number N/A
3. Apply an IPv4 basic, IPv4
advanced, or Ethernet frame
header ACL to the interface to
filter packets. packet-filter { acl-number
|
name acl-name } { inbound
| outbound } By default, no ACL is applied to any
interface.
4.
Exit to system view.
quit N/A
5. Set the interval for generating
and outputting IPv4 packet
filtering logs. acl logging frequence
frequence By default, the interval is 0. No IPv4
packet filtering logs are generated.
Applying an IPv6 ACL for packet filtering
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3. Apply an IPv6 basic or IPv6
advanced ACL to the interface
to filter IPv6 packets. packet-filter ipv6
{ acl6-number |
name acl6-name } { inbound |
outbound } By default, no IPv6 ACL is applied
to the interface.
4.
Exit to system view.
quit N/A
5. Set the interval for generating
and outputting IPv6 packet
filtering logs. acl ipv6 logging frequence
frequence
The default interval is 0. No IPv6
packet filtering logs are generated.
Displaying and maintaining ACLs
Task Command Remarks
Display configuration and match
statistics for one or all IPv4 ACLs. display
acl { acl-number | all | name
acl-name } [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Display configuration and match
statistics for one or all IPv6 ACLs. display
acl ipv6 { acl6-number | all | name
acl6-name } [ slot slot-number ] [ | { begin |
exclude | include } regular-expression ] Available in any view
Display the usage of ACL rules. display acl resource
[ slot slot-number ] [ |
{ begin | exclude | include }
regular-expression ] Available in any view
Display the application status of
packet filtering ACLs on interfaces. display
packet-filter { { all | interface
interface-type interface-number } [ inbound |
outbound ] | interface vlan-interface
vlan-interface-number [ inbound | outbound ]
[ slot slot-number ] } [ | { begin | exclude |
include } regular-expression ] Available in any view
12
Task Command Remarks
Display the configuration and
status of one or all time ranges. display time-range
{ time-range-name | all }
[ | { begin | exclude | include }
regular-expression ] Available in any view
Clear statistics for one or all IPv4
ACLs.
reset
acl counter { acl-number | all | name
acl-name } Available in user view
Clear statistics for one or all IPv6
basic and advanced ACLs. reset
acl ipv6 counter { acl6-number | all |
name acl6-name } Available in user view
Configuration example of using ACL for device
management
Network requirements
As shown in
Figure 1, configure ACLs so that:
• Host A c an telnet to the swi tch only du ri ng the work i ng time ( 8 :30 to 18 : 0 0 of ever y worki ng day) .
• As a TFTP client, the switch can get files from only the server 1 1.1.1.1 0 0 . T h i s m a k e s s u r e t h a t t h e
switch saves only authorized files.
• As an FTP server, the switch accepts the login requests from only the NMS.
Figure 1 Network diagram
Configuration procedure
1. Limit the telnet login requests.
# Create a time range named telnet to cover 8:30 to 18:00 of every working day.
system-view
Servers
R&D dept. Admin dept.Host A
10.1.3.1
Switch
10.1.3.254
10.1.3.0/24
TFTP server11.1.1.100
13 [Switch] time-range telnet 8:30 to 18:00 working-day # Create IPv4 basic ACL 2000, and configure a rule for the ACL to permit the packets sourced from 10.1.3.1 during only the time specified by time range telnet. [Switch] acl number 2000 [Switch-acl-basic-2000] rule permit source 10.1.3.1 0 time-range telnet \ [Switch-acl-basic-2000] quit # Apply ACL 2000 to the inbound traffic of all telnet user interfaces to limit the telnet login requests. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] acl 2000 inbound 2. Limit the access to the TFTP server. # Create IPv4 basic ACL 2001, and configure a rule for the ACL to permit only the packets sourced from 11.1.1.100. [Switch] acl number 2001 [Switch-acl-basic-2001] rule permit source 11.1.1.100 0 [Switch-acl-basic-2001] quit # Use ACL 2001 to control the switchs access to a specific TFTP server. [Switch] tftp-server acl 2001 3. Limit the FTP login requests. # Create IPv4 basic ACL 2002, and configure a rule for the ACL to permit only the packets sourced from 10.1.3.1. [Switch] acl number 2002 [Switch-acl-basic-2001] rule permit source 10.1.3.1 0 [Switch-acl-basic-2001] quit # Enable the FTP server on the switch. [Switch] ftp server enable # Use ACL 2001 to control FTP clients access to the FTP server. [Switch] ftp server acl 2002 IPv4 packet filtering configuration example Network requirements As shown in Figure 2, apply an ACL to the inbound direction of interface GigabitEthernet 1/0/1 on Device A so that every day from 08:00 to 18:00 the interface allows only packets sourced from Host A to pass. Configure Device A to output IPv4 packet fi ltering logs to the console at 10-minute intervals. Figure 2 Network diagram
14 Configuration procedure # Create a time range from 08:00 to 18:00 every day. system-view [DeviceA] time-range study 8:00 to 18:00 daily # Create IPv4 ACL 2009, and configure two rules in the ACL. One rule permits packets sourced from Host A and the other denies packets sourced from any other host during the time range study. Enable logging for the permit rule. [DeviceA] acl number 2009 [DeviceA-acl-basic-2009] rule permit source 192.168.1.2 0 time-range stu\ dy logging [DeviceA-acl-basic-2009] rule deny source any time-range study [DeviceA-acl-basic-2009] quit # Enable the device to generate and output IPv4 packet filtering logs at 10-minute intervals. [DeviceA] acl logging frequence 10 # Configure the device to output inform ational log messages to the console. [DeviceA] info-center source default channel 0 log level informational # Apply IPv4 ACL 2009 to filter incoming packets on GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] packet-filter 2009 inbound [DeviceA-GigabitEthernet1/0/1] quit IPv6 packet filtering configuration example Network requirements As shown in Figure 3, apply an IPv6 ACL to the incoming traffic of GigabitEthernet 1/0/1 on Device A so that every day from 08:00 to 18:00 the interface allows only packets from Host A to pass through. Configure Device A to output IPv4 packet filtering logs to the console at 10-minute intervals. Figure 3 Network diagram Configuration procedure # Create a time range from 08:00 to 18:00 every day. system-view [DeviceA] time-range study 8:0 to 18:0 daily
15 # Create IPv6 ACL 2009, and configure two rules for the ACL. One permits packets sourced from Host A and the other denies packets sourced from any other host during the time range study. Enable logging for the permit rule. [DeviceA] acl ipv6 number 2009 [DeviceA-acl6-basic-2009] rule permit source 1001::2 128 time-range stud\ y logging [DeviceA-acl6-basic-2009] rule deny source any time-range study [DeviceA-acl6-basic-2009] quit # Configure the device to collect and output IPv6 packet filtering logs at 10-minute intervals. [DeviceA] acl ipv6 logging frequence 10 # Configure the device to output informational log messages to the console. [DeviceA] info-center source default channel 0 log level informational # Apply IPv6 ACL 2009 to filter incoming packets on GigabitEthernet 1/0/1. [DeviceA] interface gigabitethernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] packet-filter ipv6 2009 inbound [DeviceA-GigabitEthernet1/0/1] quit
16 QoS overview In data communications, Quality of Service (QoS) is a network’s ability to provide differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate. Network resources are scarce. The contention for resources requires that QoS prioritize important traffic flows over trivial ones. For example, in the case of fixed bandwidth, if a traffic flow gets more bandwidth, the other traffic flows will get less bandwidth and may be affected. When making a QoS scheme, you must consider the characteristics of various applications to balance the interests of diversified users and to utilize network resources. The following section describes some typical QoS service models and widely used, mature QoS techniques. QoS service models Best-effort service model The best-effort model is a single-service model and also the simplest service model. In this service model, the network does its best to deliver packets, but does not guarantee delivery or control delay. The best-effort service model is the default model in the Internet and applies to most network applications. It uses the first in first out (FIFO) queuing mechanism. IntServ model The integrated service (IntServ) model is a multip le-service model that can accommodate diverse QoS requirements. This service model provides the most granularly differentiated QoS by identifying and guaranteeing definite QoS for each data flow. In the IntServ model, an application must request se rvice from the network before it sends data. IntServ signals the service request with the Resource Reservation Protocol (RSVP). All nodes receiving the request reserve resources as requested and maintain state information for the application flow. The IntServ model demands high stor age and processing capabilities because it requires all nodes along the transmission path to maintain resource state information for each flow. This model is suitable for small-sized or edge networks, but not large-sized netw orks, for example, the core layer of the Internet, where billions of flows are present. DiffServ model The differentiated service (DiffServ) model is a mu ltiple-service model that can satisfy diverse QoS requirements. It is easy to implement and extend . DiffServ does not signal the network to reserve resources before sending data, as IntServ does. All QoS techniques in this document are based on the DiffServ model.
17 QoS techniques The QoS techniques include traffic classification, traffic policing, traffic shaping, line rate, congestion management, and congestion avoidance. They address problems that arise at different positions of a network. Figure 4 Placement of the QoS techniques in a network As shown in Figure 4, traffic classification, traffic shaping, traffic policing, congestion management, and congestion avoidance mainly implement the following functions: • Traffic classification —Uses certain match criteria to assign packets with the same characteristics to a class. Based on classes, you can provide differentiated services. • Traf fic policing —Polices flows entering or leaving a device, and imposes penalties on traffic flows that exceed the pre-set threshold to prevent aggressive use of network resources. You can apply traffic policing to both incoming and outgoing traffic of a port. • Traffic shaping —Proactively adapts the output rate of traffic to the network resources available on the downstream device to eliminate packet drops. Traffic shaping usually applies to the outgoing traffic of a port. • Congestion management —Provides a resource scheduling policy to determine the packet forwarding sequence when congestion occurs. Congestion management usually applies to the outgoing traffic of a port. • Congestion avoidance —Monitors the network resource usage, and is usually applied to the outgoing traffic of a port. When congestion worsens, congestion avoidance reduces the queue length by dropping packets.