Professional Documents
Culture Documents
V600R003C00
Troubleshooting - QoS
Issue
02
Date
2011-09-10
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2011-09-10)
l This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this
document.
l On NE80E/40E series excluding NE40E-X1 and NE40E-X2, line processing boards are called Line
Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). On
the NE40E-X1 and NE40E-X2, there are no LPUs and SFUs, and NPUs implement the same functions
of LPUs and SFUs to exchange and forward packets.
Related Versions
The following table lists the product versions related to this document.
Product Name
Version
HUAWEI NetEngine80E/40E
Router
V600R003C00
Intended Audience
This document is intended for:
l
Policy planning
NM configuration engineer
Issue 02 (2011-09-10)
ii
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
TIP
NOTE
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Issue 02 (2011-09-10)
iii
Contents
Contents
About This Document.....................................................................................................................ii
1 QoS...................................................................................................................................................1
1.1 Troubleshooting of 802.1P Simple Traffic Classification..................................................................................2
1.1.1 Typical Networking...................................................................................................................................2
1.1.2 Troubleshooting Flow................................................................................................................................2
1.1.3 Troubleshooting Procedures......................................................................................................................3
1.2 Troubleshooting of Complex Traffic Classification...........................................................................................4
1.2.1 Typical Networking...................................................................................................................................4
1.2.2 Troubleshooting Flow................................................................................................................................4
1.2.3 Troubleshooting Procedures......................................................................................................................5
1.3 Troubleshooting of Queue Scheduling Based on Traffic Classification............................................................6
1.3.1 Typical Networking...................................................................................................................................6
1.3.2 Troubleshooting Flow................................................................................................................................7
1.3.3 Troubleshooting Procedures......................................................................................................................8
1.4 Troubleshooting ATM QoS................................................................................................................................8
1.4.1 Typical Networking...................................................................................................................................8
1.4.2 Troubleshooting Flowchart........................................................................................................................9
1.4.3 Troubleshooting Procedure......................................................................................................................10
1.5 Troubleshooting HQoS.....................................................................................................................................12
1.5.1 Typical Networking.................................................................................................................................12
1.5.2 Troubleshooting Flowchart......................................................................................................................13
1.5.3 Troubleshooting Procedure......................................................................................................................14
1.6 Troubleshooting UCL.......................................................................................................................................15
1.6.1 Typical Networking.................................................................................................................................15
1.6.2 Troubleshooting Flow..............................................................................................................................16
1.6.3 Troubleshooting Procedure......................................................................................................................16
1.7 Troubleshooting Last Mile QoS.......................................................................................................................17
1.7.1 Typical Networking.................................................................................................................................17
1.7.2 Troubleshooting Flow..............................................................................................................................17
1.7.3 Troubleshooting Procedure......................................................................................................................18
1.8 BAS HQoS Does Not Take Effect...................................................................................................................19
1.8.1 Common Causes......................................................................................................................................19
1.8.2 Troubleshooting Flowchart......................................................................................................................19
Issue 02 (2011-09-10)
iv
Contents
Issue 02 (2011-09-10)
1 QoS
QoS
Issue 02 (2011-09-10)
1 QoS
Vlan-type dotlq 1
GE1/0/1
GE1/0/1.1
GE1/0/1
GE3/0/1.1
GE8/0/1
RouterA
RouterB Vlan-type dotlq 1 RouterC
RouterD
2.
The packet reaches the sub-interface GE 3/0/1.1 of Router C through Router B and the
value of 802.1p is 1.
Issue 02 (2011-09-10)
1 QoS
No
Yes
Is the
mapping used
on the outbound
interface
correct?
No
Yes
Is the
inbound/outbound
interface the subinterface?
No
Yes
Is 8021P
enabled on the
inbound/outbound
interface?
Yes
Seek Huawei
technical support
No
Is the fault
removed?
Yes
End
Issue 02 (2011-09-10)
1 QoS
l If trust upstream default is configured, check the mapping of the default domain in global
configuration mode through the display diffserv domain command. If the mapping does not
meet the requirement, re-configure it.
Step 2 Check the mapping of the interface receiving the packet
Display whether the trust upstream [ ds-domain-name ] command is configured on the subinterface GE 3/0/1.1 of Router C through the display this command.
l If non-default domain is configured, check the mapping of the domain in global configuration
mode through the display diffserv domain command.
l If trust upstream default is not configured, check the mapping of the default domain in
global configuration mode through the display diffserv domain command. If the mapping
does not meet the requirement, re-configure it.
Step 3 Check that 802.1P is enabled
Display whether the trust 8021P command is configured on the sub-interface GE 3/0/1.1 of
Router C through the display this command. If it is not configured, re-configure it.
----End
mac address
1-1-1
GE1/0/1.1
GE8/0/1.1
RouterA
RouterB
2.
GE 8/0/1.1 of Router B receives the packet and discards it. Or Router B discards it based
on the source MAC address of the packet.
1 QoS
Check
whether the
inbound interface
receives the
packet
No
Yes
Check
whether the
traffic lassification
rule of the inbound
interface is
correct
No
Re-configure the
traffic classification
rule
No
Re-configure the
traffic behavior
No
Re-configure the
traffic policy
No
Yes
Check
whether the traffic
behavior is
correct
Yes
Check
whether the traffic
policy is
correct
Yes
Check
whether the traffic
policy is applied
correctly
Yes
Seek Huawei
technical support
No
Is the fault
removed?
Yes
End
1 QoS
Display whether the filter rule is set to discard the packet from the specified source MAC
address through the display acl command in system view. That is, whether the rule
deny source-mac command is configured.
2.
Display whether the traffic classifier command is configured through the display currentconfiguration command in system view.
3.
Display whether the following if-match clauses are configured in the configured traffic
classification view.
l if-match 8021p 3
l if-match acl acl-number. The acl-number is the ACL of the packet from the specified
source MAC address to be discarded.
Display whether the traffic behavior command is configured through the display currentconfiguration command in system view.
2.
Display whether the deny command is configured in the configured traffic behavior view.
Display whether the traffic policy command is configured through the display currentconfiguration command in system view.
2.
Display whether the classifier behavior command is configured correctly in traffic policy
view.
GE1/0/1
GE1/0/0
GE8/0/1
GE8/0/1
RouterA
RouterB
RouterC
Issue 02 (2011-09-10)
1 QoS
Send the traffic of ef level with 700 M, the traffic of af1 level with 100 M, the traffic of
af2 level with 200 M, and the traffic of be level with 300 M from Router A. The bandwidth
of GE 1/0/1 of Router B is 1000 M. Congestion is caused.
2.
According to queue scheduling, all the traffic of ef level can be transmitted from GE 1/0/1,
and the traffic of af1, af2, be levels can be separately transmitted with 50 M, 100 M, 150
M.
Check
the network
connectivity
No
Isolate the
network fault
Yes
Check
whether simple
No Configure simple traffic
traffic classification is
classification on the
configured on the
inbound interface
inbound
interface
Yes
Check
whether simple
Configure simple traffic
traffic classification is No
classification on the
configured on the
outbound
outbound interface
interface
Yes
Check
whether queue
scheduling is
configured
correctly
No
Configure queue
scheduling correctly
Yes
Seek Huawei
technical support
No
Is the fault
removed?
Yes
End
Issue 02 (2011-09-10)
1 QoS
1 QoS
Figure 1-7 Networking diagram for configuring ATM QoS for 1-to-1 VCC ATM transmission
1.1.1.9/32
PE1
ATM2/0/0
3.3.3.9/32
POS1/0/0
10.1.1.1/24
ATM1/0/0.1
PVC1:1/100
100.1.1.1/24
ATM
Network
MPLS
POS1/0/0
10.1.2.2/24
PE2
ATM2/0/0
ATM1/0/0.1
PVC1:1/100
100.1.1.2/24
CE1
CE2
ATM
Network
In the figure:
l
L2VPN is configured on PE1 and PE2; the L2VPN is bound with the interface of the PE
that is connected to the CE.
PVC is configured on the CE and transparent cell transmission is configured on the ATM
side of the PE.
Issue 02 (2011-09-10)
1 QoS
LSP or remote
session set up between
PEs?
Yes
L2VPN
configuration
correct between
PEs?
No
Modify L2VPN
configured
between PEs?
Yes
ATM cell
transmission
configuration correct
on CEs?
Yes
Simple
or forced traffic
classification configured
on PEs?
No
No
Modify traffic
classification
configured for PVC
on private interface
Yes
Seek
technical
support
No
Fault
removed?
Yes
End
Check whether MPLS LDP sessions are set up between the PEs.
For detailed troubleshooting procedure, see HUAWEI NetEngine80E/40E MPLS
L2VPN Troubleshooting.
Issue 02 (2011-09-10)
10
2.
1 QoS
3.
4.
5.
l
If the problem still remains unsolved, contact the local Huawei technical support
engineer.
Check that forced ATM traffic classification is enabled on the upstream ATM interface
or PVC/PVP.
In the interface view, run the display current-configuration command. Check
whether the traffic queue service-class { green | red | yellow } command is run on
the interface.
The router should be able to put upstream ATM cells into queues according to their
class-service and color to carry out diff-serv according to interfaces and PVC/PVP.
You can run the display port-queue command to check the outgoing queue on the
interface.
2.
If the problem still remains unsolved, contact the local Huawei technical support
engineer.
----End
Issue 02 (2011-09-10)
11
1 QoS
CE1
GE2/0/0
172.1.1.1/24
PE1
GE3/0/0
172.1.1.2/24
IP
backbone
network
PE2
In general, HQoS is configured on the access-layer router to guarantee bandwidth and limit
traffic of users or user groups.
In this networking, the configuration roadmap of HQoS is as follows:
l
Issue 02 (2011-09-10)
12
1 QoS
PE1 GE3/0/0
172.1.1.2/24
GE2/0/0
172.1.1.1/24
VLL
VPLS L3VPN
PE2
IP
backbone
network
VLL
VPLS L3VPN
In this networking, the client gateways connect to the sub-interface of the PE by means of VLL,
VPLS or L3VPN.HQoS is configured on the access side of the PE to guarantee the bandwidth
and limit traffic of users or user groups.
The configuration roadmap is similar to that on the primary interface.
Issue 02 (2011-09-10)
13
1 QoS
Yes
Yes
Traffic size
too small
Trunk
interface
Check the
configuration on
load of balancing
No
No
Yes
Excessive
protocol packets
Upstream
No
Multicast,
broadcast,unicast
packets exist
Yes
No
Yes
Downstream
connected to the MPLS
core network
Downstream
broadcast and
unknown unicast
have no rate limit
No
Seek
technical
support
No
Fault
removed?
Yes
End
If the volume of traffic is smaller than the configuration, check that the interface where
HQoS is configured is an Eth-Trunk interface.
2.
3.
Issue 02 (2011-09-10)
If packet-based load balancing is configured on the Eth-Trunk interface, disable the load
balancing. Then the problem can be solved.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
14
1 QoS
4.
If the volume of traffic is larger than the configuration and the interface is not an Eth-Trunk
interface, perform Step 3.
5.
PC
ISP
network
VOIP
DSLAM 1
Router
IPTV
Issue 02 (2011-09-10)
15
1 QoS
Yes
Configure UCL
on UCLsupporting
board
No
Is interface
configured with
CTC?
Yes
Delete configured
CTC policies
Yes
Delete excessive
rules
No
Are too many
rules configured?
No
Contact Huawei
technical support
personnel
No
Is fault
rectified?
Yes
End
16
1 QoS
A maximum number of 2048 UCL rules can be configured. In addition, UCL rules of varying types are
applied to incoming and outgoing traffic differently.
l If the number of UCL rules that are configured exceeds the upper limit, delete the excessive
UCL rules.
l If the number of UCL rules that are configured does not exceed the upper limit, go to Step
4.
Step 4 If the fault persists, contact the Huawei technical support personnel.
----End
Last Mile QoS cannot be configured on the X1 and X2 models of the NE80E/40E.
The user accesses the network through the GE 2/0/0 on the router.
PPPoA
IPoE
PC
CPE
PPPoE
GE2/0/0
Ethernet
ATM DSLAM
BRAS
NOTE
A user can access the network through either PPPoA or PPPoE. When the local link type and remote link
type are different, you need to configure last mile QoS and set a remote packet compensation value.
Issue 02 (2011-09-10)
17
1 QoS
Last mile
QoS enabled
or not?
No
Enable last
mile QoS
No
Configure correct
mode of last mile
QoS correct
Yes
Mode of last
mile QoS
correct?
Yes
Fault
rectified?
No
Contact Huawei
technical
support
personnel
Yes
End
18
1 QoS
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that BAS HQoS is configured on the device.
l For family users, check whether a QoS profile is applied to an interface on the user side.
Run the display this command in the view of the interface connected to the faulty client to
check whether a QoS profile is applied.
If no QoS profile is applied, run the qos-profile qos-profile-name { inbound | outbound }
command to apply a correct QoS profile. The new configuration takes effect after the user
goes online again.
NOTE
The newly applied QoS profile is invalid for the logged-on users. After the user goes offline and goes
online again, the QoS profile takes effect.
l For common users, check whether a QoS profile is applied to an interface on the user side.
Run the display domain domain-name command to view the Qos-profile-name inbound
and Qos-profile-name outbound fields to check whether a QoS profile is applied.
If the values of the Qos-profile-name inbound and Qos-profile-name outbound fields are
not displayed, no QoS profile is applied. Run the qos-profile qos-profile-name { inbound |
outbound } command in the user domain view. The new configuration takes effect after the
user goes online again.
l If BAS HQoS is correctly configured, go to Step 2.
Step 2 Check that the QoS profile is correctly configured.
Run the display qos-profile configuration qos-profile-name command to check whether the
user-queue or car command is configured in the QoS profile.
Issue 02 (2011-09-10)
19
1 QoS
l If the user-queue or car command is not configured, run the user-queue or car command
in the QoS profile view. The new configuration takes effect after the user goes offline and
goes online again.
l If the QoS profile is correctly configured, go to Step 3.
Step 3 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding operation procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Logs
None.
Discards UDP packets with the destination address being 10.1.1.1/30 and interface numbers
smaller than 1023.
Applies a CAR policy to other packets with the destination address being 10.1.1.1/30 and
interface numbers equal to or larger than 1023 to limit the transmission rate to 400 Mbit/
s.
After the configurations, the router applies the CAP policy to the UDP packets with the
destination address being 10.1.1.1/30, thus implementing traffic control; however, it does not
discards the UDP packets with the destination address being 10.1.1.1/30 and interface numbers
smaller than 1023.
Figure 1-16 Packets not discarded after traffic policy is configured
GE1/0/0
Network
Router
Issue 02 (2011-09-10)
20
1 QoS
Fault Analysis
1.
2.
The command output shows that UDP packets first attempt to match the ACL rule
associated with the classifier that is first configured in a traffic policy. After the UDP
packets match the ACL rule, the packets do not match the other ACL rule. In this case, the
UDP packets with the destination address being 10.1.1.1/30 and the interface number
smaller than 1023 match ACL 3010, allowing the traffic limit to take effect on the packets.
After this, the UDP packets, however, do not match the other ACL rule and therefore are
not discarded.
Procedure
Step 1 Run the undo traffic-policy inbound command in the interface view to delete the associated
policy applied to an interface.
Step 2 Run the system-view command to enter the system view.
Step 3 Run the undo traffic policy tp command to delete the traffic policy.
Step 4 Run the traffic policy tp command to create a traffic policy and enter the traffic policy view.
Step 5 Run the classifier c2 behavior b2 command and then the classifier c1 behavior b1 command
to change the sequence for applying ACL rules in the traffic policy.
Step 6 Run the traffic-policy policy-name inbound command to apply the associated policy on the
interface.
After the preceding operations, the UDP packets with the destination address being 10.1.1.1/30
and the interface numbers smaller than 1023 are discarded, traffic control is performed on other
packets with the destination address being 10.1.1.1/30. The fault is then rectified.
----End
Summary
The sequence for applying ACL rules must be correct. During traffic classification, packets
match the ACL rules in the sequence from an ACL associated with the classifier that is first
Issue 02 (2011-09-10)
21
1 QoS
configured in a traffic policy. If the packets match an ACL rule, the packets are processed based
on the ACL rule and do not match other ACL rules.
When configuring a traffic policy, ensure that the sequence in which traffic classifiers are applied
is correct.
Soft 3000
Router
Switch A
Switch B
Fault Analysis
1.
Run the display current-configuration command on the router to check the current
configuration.
acl number 10001
rule ip
traffic classifier any-ngn
if-match acl 10001
traffic behavior action-ef
remark ip-precedence 4
traffic policy eacl-ef
classifier any-ngn behavior action-ef precedence 0
interface GigabitEthernet1/0/0
port-queue af4 shaping 10 outbound
port-queue ef shaping 100 outbound
trust upstream default
The command output shows that the IP precedence value is set to 4 (corresponding to AF4),
the committed bandwidth for AF4 on the interface is 10 Mbit/s, and packet loss occurs
when the traffic volume is greater than 10 Mbit/s. In this case, the volume of NGN traffic
on Switch A exceeds 10 Mbit/s.
Issue 02 (2011-09-10)
22
2.
1 QoS
Run the display port-queue statistics interface gigabitethernet 1/0/0 af4 outbound
command. You can find that a large number of packets in the AF queue are discarded.
[af4]
Current usage percentage of queue: 0
Total pass:
0 packets,
Total discard:
13,608,926 packets,
39,502,685,409 bytes
Drop tail discard:
0 packets,
Wred discard:
0 packets,
Last 30 seconds pass rate:
453,631 pps,
1,316,756,180 bps
Last 30 seconds discard rate:
0 pps,
Drop tail discard rate:
0 pps,
Wred discard rate:
0 pps,
Peak rate:
0000-00-00 00:00:00
0 bytes
0 bytes
0 bytes
0 bps
0 bps
0 bps
0 bps
The command output shows that the IP precedence value of the router is set to 4
(corresponding to AF4) and packet loss occurs when the traffic volume exceeds 10 Mbit/
s. As a result, packet loss occurs when Switch A pings the Soft 3000.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the traffic behavior behavior-name command to enter the traffic behavior view.
Step 3 Run the remark ip-precedence 5 command to re-mark the IP precedence and specify the ToS
of VPN NGN services to EF.
After the preceding operations, the IP precedence value is set to 5, which corresponds to EF set
with the port-queue ef shaping 100 outbound command on the interface. Thus, the committed
bandwidth of VPN NGN services is changed to 100 Mbit/s.
----End
Summary
After the remark ip-precedence precedence command is run on a device, the device maps the
re-marked IP precedence with a ToS.
The mappings between IP precedences and ToSs are as follows:
Issue 02 (2011-09-10)
be
af1
green
af2
green
af3
green
23
1 QoS
af4
green
ef
green
ef
green
ef
green
RouterA
Broadband
Access Router
Modem
User
Modem
User
User
User
Fault Analysis
1.
Issue 02 (2011-09-10)
After packets are captured, information shows that the port numbers used by ADSL users
dialing through a modem range from 1000 to 10000, but the port numbers used by ADSL
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
24
1 QoS
users dialing through an agent dialer are translated by NAT into port numbers larger than
10000.
2.
Run the display current-configuration command on the device to check the traffic limit
configured on the interface. The command output shows that a P2P traffic policy has been
configured. Based on the traffic policy, the transmission rate of services with the interface
number larger than 10000 is within 20 Mbit/s. In this case, insufficient bandwidth causes
slow Web page loading when ADSL users dialing through an agent dialer attached to the
modem access the Internet during the period from 19:00 to 23:30.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the interface interface-type interface-number command to enter the interface view.
Step 3 Run the undo traffic-policy { inbound | outbound } command to delete the traffic policy.
After the preceding operations, allowing the ADSL users using the agent dialer to experience
normal Web pages loading. The fault is rectified.
----End
Summary
Do check interface numbers used for transmitting a service before setting a traffic limit for the
service. In addition, if the service passes through a NAT device, such as a firewall or a NATenabled router, consider the impact of the NAT process before setting the traffic limit, preventing
an incorrect setting from affecting user traffic over an entire network.
1.9.4 Rate Limit Does Not Take Effect When Both Rate Limit and
Access Control Are Configured
Fault Symptom
Access control is configured on the Router A to discard UDP packets destined for specific
interfaces and rate limit is configured to limit the rate of the other data packets. After the
configuration is complete, it is found that rate limit does not take effect.
Figure 1-19 Networking diagram for Rate Limit Does Not Take Effect
Network
Network
RouterA
Fault Analysis
1.
Issue 02 (2011-09-10)
25
1 QoS
The preceding command output shows that after a data packet enters an interface, the packet is
matched against ACL rules. If the packet matches an ACL rule whose action is deny, the packet
is discarded. Packets that do not match any ACL rule are directly forwarded.
Therefore, to limit the rate of the data packets that do not match any ACL rule, you need to add
an ACL rule to implement the permit action on these packets. Then, rate limit takes effect with
these data packets.
Procedure
Step 1 Run the undo traffic-policy command in the interface view to cancel the traffic policy that is
applied to the interface.
Step 2 Run the system-view command to enter the system view.
Step 3 Run the undo traffic policy policy-name command to delete the traffic policy from the device.
Step 4 Run the traffic behavior udp-limit command to enter the traffic behavior view.
Step 5 Run the undo car command to cancel the configured traffic rate limit.
Step 6 Run the quit command to return to the system view.
Step 7 Run the acl [ number ] acl-number command to add an ACL.
Step 8 Run the rule rule-id permit any command to implement the permit action on the packets other
than the UDP packets destined for specific interfaces.
Step 9 Run the quit command to return to the system view.
Step 10 Run the traffic classifier classifier-name command to configure a traffic classifier.
Step 11 Run the if-match acl acl-number command to define an ACL matching rule.
Step 12 Run the quit command to return to the system view.
Step 13 Run the traffic behavior behavior-name command to configure a traffic behavior.
Step 14 Run the car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard command
to configure a rate limit for the packets that are allowed to pass.
Step 15 Run the quit command to return to the system view.
Step 16 Run the traffic policy policy-name command to create a traffic policy and then run the
classifier classifier-name behavior behavior-name command to associate the traffic classifier
with the traffic behavior in the traffic policy.
Issue 02 (2011-09-10)
26
1 QoS
Step 17 Run the traffic-policy policy-name inbound command on the interface to apply the traffic
policy to the interface.
Step 18 Run the display current-configuration command to check the corresponding configurations.
acl number 3300
rule 0 deny udp destination-port eq dns
rule 1 deny udp destination-port eq snmp
rule 2 deny udp destination-port eq snmptrap
rule 3 deny udp destination-port eq syslog
acl number 3301
rule 4 permit any
traffic classifier udp-limit operator or
if-match acl 3300
traffic classifier udp-limit1 operator or
if-match acl 3301
traffic behavior udp-limit
traffic behavior udp-limit1
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
classifier udp-limit1 behavior udp-limit1
interface gigabitEthernet 1/0/0
traffic policy udp-limit inbound
After the preceding operations, both access control and rate limit take effect. The fault is rectified.
----End
Summary
When configuring access control, you can use the parameter deny to discard packets. The other
packets that are not discarded are directly forwarded without rate limit by default. To limit the
rate of the packets that are not denied, you need to first configure an ACL rule to allow them to
pass. Then, configure traffic behaviors to limit the rate at which these packets are forwarded.
Issue 02 (2011-09-10)
27
1 QoS
RouterA
GE1/0/0
GE1/0/0
RouterB
GE1/0/1
GE1/0/1
RouterC
Fault Analysis
1.
After configurations of rate limit are deleted by using the undo car command in the traffic
behavior view on Router A, a user on another network can access the DNS server on this
network. Therefore, it can be concluded that the fault is caused by incorrect configurations.
2.
The preceding information indicates that DNS, SNMP, SNMP Trap, and Syslog packets
are all denied. This is because these packets match the ACL rules whose action is deny.
As a result, these packets are directly discarded on Router A, and thus are not processed
based on the configured traffic behaviors.
Therefore, the actions in the rules of ACL 3300 need to be set to permit for DNS, SNMP,
SNMP Trap, and Syslog packets, and an ACL rule needs to be added to implement rate
limit on the other types of UDP packets.
Procedure
Step 1 Define ACL 3300 for DNS, SNMP, SNMP Trap, and Syslog packets, configure a traffic
classifier through the traffic classifier udp-limit command, configure a traffic behavior by using
the traffic behavior udp-limit command, and create a traffic policy by using the traffic policy
udp-limit command.
Step 2 Define ACL 3301 for UDP packets other than DNS, SNMP, SNMP Trap, and Syslog packets,
configure a traffic classifier through the traffic classifier udp-limit1 command, configure a
Issue 02 (2011-09-10)
28
1 QoS
traffic behavior by uing the traffic behavior udp-limit1 command, and create a traffic policy
by uing the traffic policy udp-limit1 command.
Step 3 Run the display current-configuration command on Router A to check the corresponding
configurations:
acl number 3300
rule 0 permit udp destination-port eq dns
rule 1 permit udp destination-port eq snmp
rule 2 permit udp destination-port eq snmptrap
rule 3 permit udp destination-port eq syslog
acl number 3301
rule 0 permit udp
traffic classifier udp-limit operator or
if-match acl 3300
traffic classifier udp-limit1 operator or
if-match acl 3301
traffic behavior udp-limit
traffic behavior udp-limit1
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
classifier udp-limit1 behavior udp-limit1
After matching ACL 3300, DNS, SNMP, SNMP Trap, and Syslog packets are forwarded based
on the traffic behavior configured through the traffic behavior udp-limit command. After
matching ACL 3301, UDP packets other than DNS, SNMP, SNMP Trap, and Syslog packets
are forwarded based on the traffic behavior configured in the traffic behavior udp-limit1
command.
After the preceding operations, a user on another network can access the DNS server on this
network and rate limit takes effect. The fault is rectified.
----End
Summary
An ACL not only classifies traffic but also permits or denies traffic, that is, forwards or discards
traffic. Therefore, make sure that packets that need to be rate limited are not discarded.
Issue 02 (2011-09-10)
29