Filter
Top Products
Advanced Configuration and Management Guide
NOTE: To characterize the traffic, configure ACLs. You can use ACLs for rate policy rules applied to IP
interfaces or to virtual interfaces, but not for rate policy rules applied directly to port-based VLANs. When you
apply a rate policy rule to a port-based VLAN, the policy applies to all Ethernet traffic.
• Specify how much bandwidth you want to allow the traffic for normal service, and whether you want the
device to change the precedence for the traffic before forwarding it.
• For bandwidth above the normal service, specify the action you want the device to take. For example, you
can configure the device to drop all traffic that exceeds the normal bandwidth allocation, or change the
traffic’s precedence or Diffserv control point, and so on.
• Apply the traffic characterization, the bandwidth limits, and the actions to incoming or outgoing traffic on a
specific IP interface, virtual interface, or port-based VLAN.
Characterizing the Traffic
You can use the following types of ACLs to characterize traffic. When you configure a rate policy rule on an
interface, you can refer to the ACLs. In this case, the rate policy rule applies to the traffic that matches the ACLs.
• Standard IP ACL – Matches packets based on source IP address.
• Extended IP ACL – Matches packets based on source and destination IP address and also based on IP
protocol information. If you specify the TCP or UDP IP protocol, you also match packets based on source or
destination TCP or UDP application port.
• Rate limit ACL – Matches packets based on source MAC address, IP precedence or Diffserv control points, or
a set of IP precedence values.
You can configure a rate policy rule without using an ACL. In this case, the rule applies to all types of Ethernet
traffic. In fact, you cannot use ACLs in a rate policy rule you apply to a port-based VLAN. A rate policy rule you
apply to a port-based VLAN applies to all types of Ethernet traffic.
To configure the ACLs used by the rate policy in Figure 4.2 on page 4-5, enter the following commands:
HP9300(config)# access-list 101 permit tcp any any eq http
HP9300(config)# access-list 102 permit tcp any any eq ftp
HP9300(config)# access-list 103 permit udp any any eq dns
These ACLs match on all Ethernet packets whose TCP application port is HTTP, FTP, or DNS.
To configure the rate limit ACL used in
Figure 4.3 on page 4-7, enter the following command:
HP9300(config)# access-list rate-limit 100 aaaa.bbbb.cccc
The configuration in Figure 4.4 on page 4-8 applies a rate policy rule directly to a port-based VLAN and does not
use ACLs.
Here is the syntax for standard ACLs.
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
or
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit any [log]
NOTE: The deny option is not applicable to rate limiting. Always specify permit when configuring an ACL for
use in a rate limiting rule.
Here is the syntax for extended ACLs.
Syntax: access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator>
<source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>]
[precedence <num> | <num>] [tos <name> | <num>] [log]
4 - 14