Professional Documents
Culture Documents
V600R003C00
Troubleshooting - QoS
Issue 02
Date 2011-09-10
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Website: http://www.huawei.com
Email: support@huawei.com
Purpose
NOTE
l This document takes interface numbers and link types of the NE40E-X8 as an example. In working
situations, the actual interface numbers and link types may be different from those used in this
document.
l On NE80E/40E series excluding NE40E-X1 and NE40E-X2, line processing boards are called Line
Processing Units (LPUs) and switching fabric boards are called Switching Fabric Units (SFUs). On
the NE40E-X1 and NE40E-X2, there are no LPUs and SFUs, and NPUs implement the same functions
of LPUs and SFUs to exchange and forward packets.
This document describes the troubleshooting workflow and methods for HUAWEI
NetEngine80E/40E.
Related Versions
The following table lists the product versions related to this document.
Intended Audience
This document is intended for:
l Policy planning
l Installation and commissioning engineer
l NM configuration engineer
l Technical support engineer
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Change History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Contents
1 QoS
Vlan-type dotlq 1
GE1/0/1 GE1/0/1.1 GE1/0/1
GE8/0/1 GE3/0/1.1
RouterA RouterB Vlan-type dotlq 1 RouterC RouterD
Is the
Modify the configuration
mapping used No on the inbound
on the inbound interface and adopt
interface
correct? correct mapping
Yes
Yes
Is the
inbound/outbound No Configure the sub-
interface the sub- interface
interface?
Yes
Is 8021P
enabled on the No Configure trust 8021P
inbound/outbound on the sub-interface
interface?
Yes
No Is the fault
Seek Huawei
technical support removed?
Yes
End
Procedure
Step 1 Check the mapping of the interface sending the packet
Display whether the trust upstream command is configured on GE 8/0/1 of Router B through
the display this command.
l If non-default domain is configured, check the mapping of the domain in global configuration
mode through the display diffserv domain command.
l If trust upstream default is configured, check the mapping of the default domain in global
configuration mode through the display diffserv domain command. If the mapping does not
meet the requirement, re-configure it.
Step 2 Check the mapping of the interface receiving the packet
Display whether the trust upstream [ ds-domain-name ] command is configured on the sub-
interface GE 3/0/1.1 of Router C through the display this command.
l If non-default domain is configured, check the mapping of the domain in global configuration
mode through the display diffserv domain command.
l If trust upstream default is not configured, check the mapping of the default domain in
global configuration mode through the display diffserv domain command. If the mapping
does not meet the requirement, re-configure it.
Step 3 Check that 802.1P is enabled
Display whether the trust 8021P command is configured on the sub-interface GE 3/0/1.1 of
Router C through the display this command. If it is not configured, re-configure it.
----End
mac address
1-1-1
GE1/0/1.1 GE8/0/1.1
RouterA RouterB
A fault occurs in
traffic policy
Yes
Check
whether the Re-configure the
traffic lassification No
rule of the inbound traffic classification
interface is rule
correct
Yes
Check
whether the traffic No Re-configure the
behavior is traffic behavior
correct
Yes
Check
whether the traffic No Re-configure the
policy is traffic policy
correct
Yes
Check
whether the traffic No Apply the traffic
policy is applied policy correctly
correctly
Yes
No
Seek Huawei Is the fault
technical support removed?
Yes
End
Procedure
Step 1 Check the network connectivity
Display the state of each interface through the display ip interface brief command.
GE1/0/0 GE1/0/1
GE8/0/1 GE8/0/1
RouterA RouterB RouterC
A fault occurs
Check
No Isolate the
the network
network fault
connectivity
Yes
Check
whether simple No Configure simple traffic
traffic classification is classification on the
configured on the
inbound inbound interface
interface
Yes
Check
whether simple Configure simple traffic
traffic classification is No
configured on the classification on the
outbound outbound interface
interface
Yes
Check
whether queue No Configure queue
scheduling is
configured scheduling correctly
correctly
Yes
Yes
End
Procedure
Step 1 Check the network connectivity
Display the state of each interface through the display ip interface brief command.
l Up indicates available.
l Down indicates unavailable.
When the interface is Down, check the link and the interface.
Step 2 Check that simple traffic classification is configured on the inbound interface
Display whether simple traffic classification is enabled through the display this command in
the inbound interface view of GE 8/0/1 on Router B. That is, whether the trust upstream
command is configured.
Step 3 Check that simple traffic classification is configured on the outbound interface
Display whether simple traffic classification is enabled through the display this command in
the outbound interface view of GE 8/0/1 on Router B. That is, whether the trust upstream
command is configured.
Check the mapping of the domain in global configuration mode through the display diffserv
domain command. That is, whether the mapping meet the requirement.
Display whether the correct queue scheduling is configured to forward the traffic at each level
through the display this command in the outbound interface view of GE 1/0/1 on Router B. That
is, whether the commands such as port-queue ef, port-queue af1, port-queue af2, port-queue
be are configured.
Confirm that the shaping for the traffic at each level is set correctly.
----End
Figure 1-7 Networking diagram for configuring ATM QoS for 1-to-1 VCC ATM transmission
1.1.1.9/32 3.3.3.9/32
POS1/0/0
10.1.2.2/24
PE1 MPLS PE2
POS1/0/0
ATM2/0/0 10.1.1.1/24 ATM2/0/0
ATM1/0/0.1
PVC1:1/100 ATM1/0/0.1
100.1.1.1/24 PVC1:1/100
100.1.1.2/24
CE1 CE2
ATM ATM
Network Network
In the figure:
l L2VPN is configured on PE1 and PE2; the L2VPN is bound with the interface of the PE
that is connected to the CE.
l PVC is configured on the CE and transparent cell transmission is configured on the ATM
side of the PE.
l On the ATM sub interface of PE1, simple traffic classification is configured.
No traffic
classification on
the ATM
interface
Yes
Yes
ATM cell
Modify ATM cell
transmission No
transmission
configuration correct
configured on CEs
on CEs?
Yes
Simple Modify traffic
or forced traffic No classification
classification configured configured for PVC
on PEs? on private interface
Yes
Seek No Fault
technical removed?
support
Yes
End
Procedure
l Troubleshooting Procedure for Simple ATM Traffic Classification
1. Check whether MPLS LDP sessions are set up between the PEs.
If the atm cell transfer command is run on the PE's interface that is connected to the
private network, transparent transmission of ATM cells can be carried out between
the CEs. The CEs can ping through each other.
4. Check whether simple ATM traffic classification is enabled on the PE.
Check whether the trust upstream command is run on the inbound interface.
In the interface view, run the display current-configuration command. Check
whether the trust upstream default command is run on the interface.
If the trust upstream default command has been run on the upstream PVC of the
PE, it means that simple ATM traffic classification has been enabled. The CLP
field in the ATM cells will be transmitted transparently to the remote end. That is,
the service priority of the ATM cells remains unchanged.
The PE puts the ATM cells into queues according to the service class and CLP of
the cells. Thus, diff-serv according to the priority of cells is carried out.
Check the configuration in the default DS domain.
If the mapping between the service priority and the queue is different from the
default mapping, run the display current-configuration command in the default
DS domain view. If the mapping does not satisfy the networking requirement,
configure the mapping again in the default DS domain view.
You can run the display port-queue command to check the outgoing queue on
the interface.
5. If the problem still remains unsolved, contact the local Huawei technical support
engineer.
l Troubleshooting Procedure for Forced ATM Traffic Classification
The configuration of forced ATM traffic classification has nothing to do with the type of
ATM services.
Forced ATM traffic classification can be applied to only the upstream interface. It cannot
be configured together with simple ATM traffic classification.
1. Check that forced ATM traffic classification is enabled on the upstream ATM interface
or PVC/PVP.
The router should be able to put upstream ATM cells into queues according to their
class-service and color to carry out diff-serv according to interfaces and PVC/PVP.
You can run the display port-queue command to check the outgoing queue on the
interface.
2. If the problem still remains unsolved, contact the local Huawei technical support
engineer.
----End
In general, HQoS is configured on the access-layer router to guarantee bandwidth and limit
traffic of users or user groups.
In this networking, the configuration roadmap of HQoS is as follows:
l Configure the WRED parameters for each CoS.
l Queue scheduling algorithm and parameters for each flow queue.
l Configure mapping of the CoS for flow queues.
l Configure the shaping value for user group queues.
l Configure SQ on the interface.
l Configure CQ on the interface.
In this networking, the client gateways connect to the sub-interface of the PE by means of VLL,
VPLS or L3VPN.HQoS is configured on the access side of the PE to guarantee the bandwidth
and limit traffic of users or user groups.
The configuration roadmap is similar to that on the primary interface.
SQ traffic is
incorrect
Yes Yes
Traffic size Check the
Trunk
too small configuration on
interface
load of balancing
No No
Yes
Excessive
Upstream
protocol packets
No
No
Downstream Yes HQoS does not take
connected to the MPLS effect on the PW at
core network the public network
No
Seek No
Fault
technical removed?
support
Yes
End
Procedure
Step 1 Compare the actual traffic that passes through the router with the configuration.
1. If the volume of traffic is smaller than the configuration, check that the interface where
HQoS is configured is an Eth-Trunk interface.
2. If the interface is an Eth-Trunk interface, check whether packet-based load balancing is
configured on that Eth-Trunk interface.
[PE1] interface eth-trunk 5
[PE1-Eth-Trunk55] display this
#
interface Eth-Trunk55
load-balance packet-all
#
3. If packet-based load balancing is configured on the Eth-Trunk interface, disable the load
balancing. Then the problem can be solved.
4. If the volume of traffic is larger than the configuration and the interface is not an Eth-Trunk
interface, perform Step 3.
5. If the volume of traffic is too large, proceed to Step 2.
Step 2 Check whether HQoS is configured on the inbound or outbound interface.
l If HQoS is configured on the inbound interface, perform Step 3.
l If HQoS is configured on the outbound interface, perform Step 4.
Step 3 Check whether there are too many protocol packets.
l When HQoS is configured on the inbound interface, SQ limits rate of all traffic including
protocol packets. In this case, if too many protocol packets go into the router, the bandwidth
allocated for protocol packets is wasted. Therefore, actual traffic volume is too small.
l If too few protocol packets go into the router, perform Step 6.
Step 4 Check whether there are multicast or unknown unicast packets.
l If there are multicast or unknown unicast packets on the outbound interface, the volume of
traffic that passes the router will be too large.
l If there are no multicast or unknown unicast packets, perform Step 5.
Step 5 Check whether the outbound interface is connected to the MPLS backbone network.
l If the outbound interface is connected to the MPLS backbone network, the volume of traffic
that passes the router will be too large because HQoS does not take effect on the backbone
network side.
l If not, perform step 6.
Step 6 Contact Huawei Technical Support Engineers.
----End
PC
ISP
network
VOIP
DSLAM 1 Router
IPTV
UCL configuration
not effective
Configure UCL
Does the board Yes on UCL-
support UCL? supporting
board
No
No
End
Procedure
Step 1 Check the type of the board to confirm whether UCLs are supported on the board.
l If UCLs are not supported on the board, replace the board with a UCL-supporting type of
board and configure UCLs again.
l If UCLs are supported on the board, go to Step 2.
Step 2 Check whether complex traffic classification (CTC) policies are configured on the interface.
l If CTC policies are configured on the interface, traffic may match the CTC policies rather
than UCLs. In this case, delete the CTC policies.
A maximum number of 2048 UCL rules can be configured. In addition, UCL rules of varying types are
applied to incoming and outgoing traffic differently.
l If the number of UCL rules that are configured exceeds the upper limit, delete the excessive
UCL rules.
l If the number of UCL rules that are configured does not exceed the upper limit, go to Step
4.
Step 4 If the fault persists, contact the Huawei technical support personnel.
----End
Last Mile QoS cannot be configured on the X1 and X2 models of the NE80E/40E.
l The user accesses the network through the GE 2/0/0 on the router.
l RADIUS authentication and RADIUS accounting are used.
PC CPE BRAS
ATM DSLAM
NOTE
A user can access the network through either PPPoA or PPPoE. When the local link type and remote link
type are different, you need to configure last mile QoS and set a remote packet compensation value.
Yes
Contact Huawei
Fault No technical
rectified? support
personnel
Yes
End
Procedure
Step 1 Run the display this command in the system view or the AAA domain view to check whether
last mile QoS is enabled.
l If last mile QoS is enabled, go to Step 2.
l If last mile QoS is not enabled, run the qos link-adjustment remote enable command in
either the system view or the AAA domain view accordingly. The configuration takes effect
when the user log in again. If you configure the qos link-adjustment remote enable
command in the AAA domain view, last mile QoS takes effect with only the L2TP service.
Step 2 Check whether the remote packet compensation value is correctly configured in the interface
view or the AAA domain view.
l If the remote packet compensation value is correctly configured, go to Step 3.
l If the remote packet compensation value is not correctly configured, run the qos link-
adjustment remote command in either the system view or the AAA domain view
accordingly.
Step 3 If the fault persists, contact the Huawei technical support personnel.
----End
Context
NOTE
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct
the fault, you will have a record of your actions to provide Huawei technical support personnel.
Procedure
Step 1 Check that BAS HQoS is configured on the device.
l For family users, check whether a QoS profile is applied to an interface on the user side.
Run the display this command in the view of the interface connected to the faulty client to
check whether a QoS profile is applied.
If no QoS profile is applied, run the qos-profile qos-profile-name { inbound | outbound }
command to apply a correct QoS profile. The new configuration takes effect after the user
goes online again.
NOTE
The newly applied QoS profile is invalid for the logged-on users. After the user goes offline and goes
online again, the QoS profile takes effect.
l For common users, check whether a QoS profile is applied to an interface on the user side.
Run the display domain domain-name command to view the Qos-profile-name inbound
and Qos-profile-name outbound fields to check whether a QoS profile is applied.
If the values of the Qos-profile-name inbound and Qos-profile-name outbound fields are
not displayed, no QoS profile is applied. Run the qos-profile qos-profile-name { inbound |
outbound } command in the user domain view. The new configuration takes effect after the
user goes online again.
l If BAS HQoS is correctly configured, go to Step 2.
Run the display qos-profile configuration qos-profile-name command to check whether the
user-queue or car command is configured in the QoS profile.
l If the user-queue or car command is not configured, run the user-queue or car command
in the QoS profile view. The new configuration takes effect after the user goes offline and
goes online again.
l If the QoS profile is correctly configured, go to Step 3.
Step 3 Collect the following information and contact Huawei technical support personnel.
l Results of the preceding operation procedure
l Configuration files, log files, and alarm files of the devices
----End
Relevant Alarms
None.
Relevant Logs
None.
Fault Symptom
On the network shown in Figure 1-16, two ACL rules in a traffic policy is configured in sequence
on GE 1/0/0 of the router to implement the following functions:
l Discards UDP packets with the destination address being 10.1.1.1/30 and interface numbers
smaller than 1023.
l Applies a CAR policy to other packets with the destination address being 10.1.1.1/30 and
interface numbers equal to or larger than 1023 to limit the transmission rate to 400 Mbit/
s.
After the configurations, the router applies the CAP policy to the UDP packets with the
destination address being 10.1.1.1/30, thus implementing traffic control; however, it does not
discards the UDP packets with the destination address being 10.1.1.1/30 and interface numbers
smaller than 1023.
GE1/0/0
Network
Router
Fault Analysis
1. Run the display current-configuration command to check the global configurations of
acl and traffic policy. The configurations are as follows:
acl 3010 match-order auto
rule 5 permit ip destination 10.1.1.1 0.0.0.3
acl 3011
rule 5 permit udp destination 10.1.1.1 0.0.0.3 destination-port lt 1023
traffic classifier c1 operator or
if-match acl 3010
traffic classifier c2 operator or
if-match acl 3011
traffic behavior b1
car cir 400000 cbs 400000 pbs 0 green pass yellow pass red discard
traffic behavior b2
deny
traffic policy tp
classifier c1 behavior b1
classifier c2 behavior b2
interface gigabitethernet 1/0/0
traffic-policy tc inbound
2. The command output shows that UDP packets first attempt to match the ACL rule
associated with the classifier that is first configured in a traffic policy. After the UDP
packets match the ACL rule, the packets do not match the other ACL rule. In this case, the
UDP packets with the destination address being 10.1.1.1/30 and the interface number
smaller than 1023 match ACL 3010, allowing the traffic limit to take effect on the packets.
After this, the UDP packets, however, do not match the other ACL rule and therefore are
not discarded.
Procedure
Step 1 Run the undo traffic-policy inbound command in the interface view to delete the associated
policy applied to an interface.
Step 3 Run the undo traffic policy tp command to delete the traffic policy.
Step 4 Run the traffic policy tp command to create a traffic policy and enter the traffic policy view.
Step 5 Run the classifier c2 behavior b2 command and then the classifier c1 behavior b1 command
to change the sequence for applying ACL rules in the traffic policy.
Step 6 Run the traffic-policy policy-name inbound command to apply the associated policy on the
interface.
After the preceding operations, the UDP packets with the destination address being 10.1.1.1/30
and the interface numbers smaller than 1023 are discarded, traffic control is performed on other
packets with the destination address being 10.1.1.1/30. The fault is then rectified.
----End
Summary
The sequence for applying ACL rules must be correct. During traffic classification, packets
match the ACL rules in the sequence from an ACL associated with the classifier that is first
configured in a traffic policy. If the packets match an ACL rule, the packets are processed based
on the ACL rule and do not match other ACL rules.
When configuring a traffic policy, ensure that the sequence in which traffic classifiers are applied
is correct.
Fault Symptom
On the network shown in Figure 1-17, Layer 3 MPLS VPN is run between the router and the
switch, and the Soft 3000 belongs to the Layer 3 MPLS VPN. The router and the switch are
configured with QoS to protect services. After the configuration, it is found that packet loss
occurs when Switch A pings the Soft 3000 and the other services are normal.
Figure 1-17 Diagram of the networking where packets of VPN services are lost because the IP
precedence of a device is Incorrectly set
Switch B
Fault Analysis
1. Run the display current-configuration command on the router to check the current
configuration.
acl number 10001
rule ip
traffic classifier any-ngn
if-match acl 10001
traffic behavior action-ef
remark ip-precedence 4
traffic policy eacl-ef
classifier any-ngn behavior action-ef precedence 0
interface GigabitEthernet1/0/0
port-queue af4 shaping 10 outbound
port-queue ef shaping 100 outbound
trust upstream default
The command output shows that the IP precedence value is set to 4 (corresponding to AF4),
the committed bandwidth for AF4 on the interface is 10 Mbit/s, and packet loss occurs
when the traffic volume is greater than 10 Mbit/s. In this case, the volume of NGN traffic
on Switch A exceeds 10 Mbit/s.
2. Run the display port-queue statistics interface gigabitethernet 1/0/0 af4 outbound
command. You can find that a large number of packets in the AF queue are discarded.
[af4]
Current usage percentage of queue: 0
Total pass:
0 packets, 0 bytes
Total discard:
13,608,926 packets,
39,502,685,409 bytes
Drop tail discard:
0 packets, 0 bytes
Wred discard:
0 packets, 0 bytes
Last 30 seconds pass rate:
453,631 pps,
1,316,756,180 bps
Last 30 seconds discard rate:
0 pps, 0 bps
Drop tail discard rate:
0 pps, 0 bps
Wred discard rate:
0 pps, 0 bps
Peak rate:
0000-00-00 00:00:00 0 bps
The command output shows that the IP precedence value of the router is set to 4
(corresponding to AF4) and packet loss occurs when the traffic volume exceeds 10 Mbit/
s. As a result, packet loss occurs when Switch A pings the Soft 3000.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the traffic behavior behavior-name command to enter the traffic behavior view.
Step 3 Run the remark ip-precedence 5 command to re-mark the IP precedence and specify the ToS
of VPN NGN services to EF.
After the preceding operations, the IP precedence value is set to 5, which corresponds to EF set
with the port-queue ef shaping 100 outbound command on the interface. Thus, the committed
bandwidth of VPN NGN services is changed to 100 Mbit/s.
----End
Summary
After the remark ip-precedence precedence command is run on a device, the device maps the
re-marked IP precedence with a ToS.
0 be
1 af1 green
2 af2 green
3 af3 green
4 af4 green
5 ef green
6 ef green
7 ef green
Figure 1-18 Networking diagram of slow web page loading for some ADSL users
I n t e r ne t
RouterA
Broadband
Access Router
Modem Modem
Fault Analysis
1. After packets are captured, information shows that the port numbers used by ADSL users
dialing through a modem range from 1000 to 10000, but the port numbers used by ADSL
users dialing through an agent dialer are translated by NAT into port numbers larger than
10000.
2. Run the display current-configuration command on the device to check the traffic limit
configured on the interface. The command output shows that a P2P traffic policy has been
configured. Based on the traffic policy, the transmission rate of services with the interface
number larger than 10000 is within 20 Mbit/s. In this case, insufficient bandwidth causes
slow Web page loading when ADSL users dialing through an agent dialer attached to the
modem access the Internet during the period from 19:00 to 23:30.
Procedure
Step 1 Run the system-view command to enter the system view.
Step 2 Run the interface interface-type interface-number command to enter the interface view.
Step 3 Run the undo traffic-policy { inbound | outbound } command to delete the traffic policy.
After the preceding operations, allowing the ADSL users using the agent dialer to experience
normal Web pages loading. The fault is rectified.
----End
Summary
Do check interface numbers used for transmitting a service before setting a traffic limit for the
service. In addition, if the service passes through a NAT device, such as a firewall or a NAT-
enabled router, consider the impact of the NAT process before setting the traffic limit, preventing
an incorrect setting from affecting user traffic over an entire network.
1.9.4 Rate Limit Does Not Take Effect When Both Rate Limit and
Access Control Are Configured
Fault Symptom
Access control is configured on the Router A to discard UDP packets destined for specific
interfaces and rate limit is configured to limit the rate of the other data packets. After the
configuration is complete, it is found that rate limit does not take effect.
Figure 1-19 Networking diagram for Rate Limit Does Not Take Effect
Network Network
RouterA
Fault Analysis
1. Run the display current-configuration command on the Router A.
The preceding command output shows that after a data packet enters an interface, the packet is
matched against ACL rules. If the packet matches an ACL rule whose action is deny, the packet
is discarded. Packets that do not match any ACL rule are directly forwarded.
Therefore, to limit the rate of the data packets that do not match any ACL rule, you need to add
an ACL rule to implement the permit action on these packets. Then, rate limit takes effect with
these data packets.
Procedure
Step 1 Run the undo traffic-policy command in the interface view to cancel the traffic policy that is
applied to the interface.
Step 3 Run the undo traffic policy policy-name command to delete the traffic policy from the device.
Step 4 Run the traffic behavior udp-limit command to enter the traffic behavior view.
Step 5 Run the undo car command to cancel the configured traffic rate limit.
Step 8 Run the rule rule-id permit any command to implement the permit action on the packets other
than the UDP packets destined for specific interfaces.
Step 10 Run the traffic classifier classifier-name command to configure a traffic classifier.
Step 11 Run the if-match acl acl-number command to define an ACL matching rule.
Step 13 Run the traffic behavior behavior-name command to configure a traffic behavior.
Step 14 Run the car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard command
to configure a rate limit for the packets that are allowed to pass.
Step 16 Run the traffic policy policy-name command to create a traffic policy and then run the
classifier classifier-name behavior behavior-name command to associate the traffic classifier
with the traffic behavior in the traffic policy.
Step 17 Run the traffic-policy policy-name inbound command on the interface to apply the traffic
policy to the interface.
Step 18 Run the display current-configuration command to check the corresponding configurations.
acl number 3300
rule 0 deny udp destination-port eq dns
rule 1 deny udp destination-port eq snmp
rule 2 deny udp destination-port eq snmptrap
rule 3 deny udp destination-port eq syslog
acl number 3301
rule 4 permit any
traffic classifier udp-limit operator or
if-match acl 3300
traffic classifier udp-limit1 operator or
if-match acl 3301
traffic behavior udp-limit
traffic behavior udp-limit1
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
classifier udp-limit1 behavior udp-limit1
interface gigabitEthernet 1/0/0
traffic policy udp-limit inbound
After the preceding operations, both access control and rate limit take effect. The fault is rectified.
----End
Summary
When configuring access control, you can use the parameter deny to discard packets. The other
packets that are not discarded are directly forwarded without rate limit by default. To limit the
rate of the packets that are not denied, you need to first configure an ACL rule to allow them to
pass. Then, configure traffic behaviors to limit the rate at which these packets are forwarded.
Fault Symptom
On the network shown in Figure 1-20, Router A functions as the egress. Rate limit is configured
for UDP packets other than DNS, SNMP, SNMP Trap, and Syslog packets in the inbound
direction of GE 1/0/0 on Router A. The rate of these UDP packets is limited to 1.3 Gbit/s. After
the configuration, a user on another network cannot access the DNS server on this network.
GE1/0/0 GE1/0/1
GE1/0/0
GE1/0/1
RouterB RouterC
Fault Analysis
1. After configurations of rate limit are deleted by using the undo car command in the traffic
behavior view on Router A, a user on another network can access the DNS server on this
network. Therefore, it can be concluded that the fault is caused by incorrect configurations.
2. Run the display current-configuration command on Router A to check its configurations:
acl number 3300
rule 0 deny udp destination-port eq dns
rule 1 deny udp destination-port eq snmp
rule 2 deny udp destination-port eq snmptrap
rule 3 deny udp destination-port eq syslog
rule 4 permit udp
traffic classifier udp-limit operator and
if-match acl 3300
traffic behavior udp-limit
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
The preceding information indicates that DNS, SNMP, SNMP Trap, and Syslog packets
are all denied. This is because these packets match the ACL rules whose action is deny.
As a result, these packets are directly discarded on Router A, and thus are not processed
based on the configured traffic behaviors.
Therefore, the actions in the rules of ACL 3300 need to be set to permit for DNS, SNMP,
SNMP Trap, and Syslog packets, and an ACL rule needs to be added to implement rate
limit on the other types of UDP packets.
Procedure
Step 1 Define ACL 3300 for DNS, SNMP, SNMP Trap, and Syslog packets, configure a traffic
classifier through the traffic classifier udp-limit command, configure a traffic behavior by using
the traffic behavior udp-limit command, and create a traffic policy by using the traffic policy
udp-limit command.
Step 2 Define ACL 3301 for UDP packets other than DNS, SNMP, SNMP Trap, and Syslog packets,
configure a traffic classifier through the traffic classifier udp-limit1 command, configure a
traffic behavior by uing the traffic behavior udp-limit1 command, and create a traffic policy
by uing the traffic policy udp-limit1 command.
Step 3 Run the display current-configuration command on Router A to check the corresponding
configurations:
acl number 3300
rule 0 permit udp destination-port eq dns
rule 1 permit udp destination-port eq snmp
rule 2 permit udp destination-port eq snmptrap
rule 3 permit udp destination-port eq syslog
acl number 3301
rule 0 permit udp
traffic classifier udp-limit operator or
if-match acl 3300
traffic classifier udp-limit1 operator or
if-match acl 3301
traffic behavior udp-limit
traffic behavior udp-limit1
car cir 1360000 cbs 1360000 pbs 0 green pass yellow discard red discard
traffic policy udp-limit
classifier udp-limit behavior udp-limit
classifier udp-limit1 behavior udp-limit1
After matching ACL 3300, DNS, SNMP, SNMP Trap, and Syslog packets are forwarded based
on the traffic behavior configured through the traffic behavior udp-limit command. After
matching ACL 3301, UDP packets other than DNS, SNMP, SNMP Trap, and Syslog packets
are forwarded based on the traffic behavior configured in the traffic behavior udp-limit1
command.
After the preceding operations, a user on another network can access the DNS server on this
network and rate limit takes effect. The fault is rectified.
----End
Summary
An ACL not only classifies traffic but also permits or denies traffic, that is, forwards or discards
traffic. Therefore, make sure that packets that need to be rate limited are not discarded.