Advanced Configuration and Management Guide

NOTE: To characterize the traffic, configure ACLs. You can use ACLs for rate policy rules applied to IP interfaces or to virtual interfaces, but not for rate policy rules applied directly to port-based VLANs. When you apply a rate policy rule to a port-based VLAN, the policy applies to all Ethernet traffic.

Specify how much bandwidth you want to allow the traffic for normal service, and whether you want the device to change the precedence for the traffic before forwarding it.

For bandwidth above the normal service, specify the action you want the device to take. For example, you can configure the device to drop all traffic that exceeds the normal bandwidth allocation, or change the traffic’s precedence or Diffserv control point, and so on.

Apply the traffic characterization, the bandwidth limits, and the actions to incoming or outgoing traffic on a specific IP interface, virtual interface, or port-based VLAN.

Characterizing the Traffic

You can use the following types of ACLs to characterize traffic. When you configure a rate policy rule on an interface, you can refer to the ACLs. In this case, the rate policy rule applies to the traffic that matches the ACLs.

Standard IP ACL – Matches packets based on source IP address.

Extended IP ACL – Matches packets based on source and destination IP address and also based on IP protocol information. If you specify the TCP or UDP IP protocol, you also match packets based on source or destination TCP or UDP application port.

Rate limit ACL – Matches packets based on source MAC address, IP precedence or Diffserv control points, or a set of IP precedence values.

You can configure a rate policy rule without using an ACL. In this case, the rule applies to all types of Ethernet traffic. In fact, you cannot use ACLs in a rate policy rule you apply to a port-based VLAN. A rate policy rule you apply to a port-based VLAN applies to all types of Ethernet traffic.

To configure the ACLs used by the rate policy in Figure 4.2 on page 4-5,enter the following commands:

HP9300(config)# access-list 101 permit tcp any any eq http

HP9300(config)# access-list 102 permit tcp any any eq ftp

HP9300(config)# access-list 103 permit udp any any eq dns

These ACLs match on all Ethernet packets whose TCP application port is HTTP, FTP, or DNS.

To configure the rate limit ACL used in Figure 4.3 on page 4-7,enter the following command:

HP9300(config)# access-list rate-limit 100 aaaa.bbbb.cccc

The configuration in Figure 4.4 on page 4-8applies a rate policy rule directly to a port-based VLAN and does not use ACLs.

Here is the syntax for standard ACLs.

Syntax: [no] access-list <num> deny permit <source-ip> <hostname> <wildcard> [log]

or

Syntax: [no] access-list <num> deny permit <source-ip>/<mask-bits> <hostname> [log]

Syntax: [no] access-list <num> deny permit host <source-ip> <hostname> [log]

Syntax: [no] access-list <num> deny permit any [log]

NOTE: The deny option is not applicable to rate limiting. Always specify permit when configuring an ACL for use in a rate limiting rule.

Here is the syntax for extended ACLs.

Syntax: access-list <num> deny permit <ip-protocol> <source-ip> <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> <hostname> <wildcard> [<operator> <destination-tcp/udp-port>] [precedence <num> <num>] [tos <name> <num>] [log]

4 - 14