< Home

Licensing Requirements and Limitations for MQC

Involved Network Elements

Other network elements are not required.

Licensing Requirements

MQC is a basic feature of the switch and is not under license control.

Feature Support in V200R019C10

All models of S2720, S5700, and S6700 series switches support MQC.

For details about software mappings, visit Hardware Query Tool and search for the desired product model.

Feature Limitations

  • Table 1 describes the specifications of MQC.
    Table 1 Specifications of MQC

    Item

    Specification

    Maximum number of traffic classifiers
    • Versions earlier than V100R006: 255
    • V100R006 to V200R002: 256
    • V200R003 and later versions: 512

    Maximum number of if-match rules in a traffic classifier

    1024

    Maximum number of traffic behaviors

    256

    Maximum number of traffic policies

    256

    Maximum number of traffic classifiers bound to a traffic policy

    256

    Maximum number of VLANs to which traffic policies can be applied

    3000
  • Applying a traffic policy consumes ACL resources. If ACL resources are insufficient, the traffic policy will fail to be applied. Assume that an if-match rule in a traffic policy occupies one ACL. When the traffic policy is applied to M interfaces, M ACLs are occupied. When the traffic policy is applied to multiple VLANs, one ACL is occupied for each VLAN the traffic policy is applied to. When the traffic policy is applied to the system, one ACL is occupied. Table 2 describes the ACL resource usage of if-match rules.
    Table 2 ACLs occupied by traffic classification rules

    Traffic Classification Rule

    ACL Resource Usage

    if-match vlan-id start-vlan-id [ to end-vlan-id ] (S2720-EI, S2750-EI, S5700-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI)

    if-match cvlan-id start-vlan-id [ to end-vlan-id ] [ vlan-id vlan-id ] (S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6700-EI, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S)

    Rules are delivered according to the VLAN ID range and multiple ACLs are occupied. You can run the display acl division start-id to end-id command to check how ACL resources are used in a specified VLAN range.

    if-match acl { acl-number | acl-name }

    if-match ipv6 acl { acl-number | acl-name }
    • Uplink: When the range resources are exhausted, rules containing range port-start port-end are delivered and multiple ACLs are occupied. Each rule containing tcp-flag established occupies two ACLs. (The uplink ACL resource usage on the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S is similar to the downlink ACL resource usage.)
    • Downlink: Rules containing range port-start port-end are delivered according to the port number range, and multiple ACLs are occupied. In other situations, one rule occupies one ACL. You can run the display acl division start-id to end-id command to check how ACL resources are used in a specified port number range.

    Other if-match rules

    Each rule occupies one ACL.
    In V200R013C02 and later versions, resources occupied by the traffic policy that is applied to the inbound direction of an interface on the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, or S6730S-S can be shared by other interfaces to which the same traffic policy that is applied in the inbound direction on the switch. ACL resource sharing is not supported in the following scenarios:
    • car or statistic enable is configured in a traffic behavior.
    • On the devices that do not support the extended MAC entry resource mode, an IPv6 ACL rule is configured in a traffic behavior (for example, if-match protocol ipv6 or if-match ipv6 acl is configured).
    You can run the following commands in all views to check information about ACL resources:
    • Run the display traffic-policy applied-record [ policy-name ] command to check whether the traffic policy applied to the inbound direction of an interface supports ACL resource sharing.
    • Run the display acl resource [ slot slot-id ] command to check information about ACL resources.
  • When a traffic policy is applied in multiple views, the traffic policy in the view with a higher priority takes effect. The views in descending order of priority are as follows: VLANIF interface view > WLAN-ESS interface view/SSID profile view > sub-interface view of physical interfaces/Eth-Trunk sub-interface view > physical interface view/Eth-Trunk interface view/port group view > VLAN view > system view.

  • Table 3 and Table 4 describe the traffic policy or the combination of traffic classifiers and traffic behaviors that takes effect in scenarios where packets match multiple traffic policies in different views or multiple combinations of traffic classifiers and traffic behaviors of the same traffic policy in the same direction in the same view.

    Table 3 Classification rules of the same type in a traffic classifier

    Packets Match Multiple Traffic Policies

    Packets Match Multiple Combinations of Traffic Classifiers and Traffic Behaviors of the Same Traffic Policy

    Only the traffic policy applied in the view with the highest priority takes effect.

    The first combination of traffic classifier and traffic behavior configured in the traffic policy takes effect.

    To view the configuration of a traffic policy, run the display this command in the traffic policy view.
    Table 4 Classification rules of different types in a traffic classifier

    Product

    Packets Match Multiple Traffic Policies

    Packets Match Multiple Combinations of Traffic Classifiers and Traffic Behaviors of the Same Traffic Policy

    S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6700-EI, S6720-EI, and S6720S-EI

    If actions do not conflict, all the traffic policies take effect.

    If actions conflict:
    • If the matching order is set to config (configuration order) for traffic classifiers in a traffic policy, only the traffic policy applied in the view with the highest priority takes effect.
    • If the matching order is set to auto (automatic order) for traffic classifiers in a traffic policy, only the traffic policy containing the classification rule with the highest priority takes effect. If traffic policies are applied in the inbound direction, classification rules in descending order of priority are as follows: Layer 2 rule + Layer 3 rule > advanced ACL6 rule > basic ACL6 rule > Layer 3 rule > Layer 2 rule > user-defined ACL rule. If traffic policies are applied in the outbound direction, classification rules in descending order of priority are as follows: Layer 2 rule + Layer 3 rule > advanced ACL6 rule > basic ACL6 rule > Layer 2 rule > Layer 3 rule > user-defined ACL rule.

    If actions do not conflict, all combinations of traffic classifiers and traffic behaviors take effect, and all actions will be performed.

    If actions conflict:
    • If the matching order is set to config (configuration order) for traffic classifiers in a traffic policy, the first combination of traffic classifier and traffic behavior in the output of the display this command run in the traffic policy view takes effect.
    • If the matching order is set to auto (automatic order) for traffic classifiers in a traffic policy, only the combination containing the traffic classifier with the classification rule of the highest priority takes effect. If a traffic policy is applied in the inbound direction, classification rules in descending order of priority are as follows: Layer 2 rule + Layer 3 rule > advanced ACL6 rule > basic ACL6 rule > Layer 3 rule > Layer 2 rule > user-defined ACL rule. If a traffic policy is applied in the outbound direction, classification rules in descending order of priority are as follows: Layer 2 rule + Layer 3 rule > advanced ACL6 rule > basic ACL6 rule > Layer 2 rule > Layer 3 rule > user-defined ACL rule.

    S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720-HI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6720-LI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S

    Only the traffic policy applied in the view with the highest priority takes effect.

    The first combination of traffic classifier and traffic behavior configured in the traffic policy takes effect. To view the configuration of a traffic policy, run the display this command in the traffic policy view.

    It is recommended that you configure traffic policies in descending order of priority; otherwise, traffic policies may not take effect immediately. For details about traffic classification rules, see "Overview of MQC".

  • If an MQC-based traffic policy and an ACL-based simplified traffic policy matching the same ACL are applied to the same object, the ACL-based simplified traffic policy takes effect. However, if ACL-based packet filtering is configured using the traffic-secure command, it can take effect together with an MQC-based traffic policy matching the same ACL.

  • If the ACL rule matches the VPN instance name of packets, the ACL-based traffic policy fails to be delivered.

  • If a traffic policy fails to be applied due to insufficient ACL resources on the switch, you are advised to delete the configuration of the traffic policy. Otherwise, if the configuration is saved and the switch is restarted, configuration of other services that run properly will fail to be restored.

  • If the traffic policy that you want to delete has been applied to the system, an interface, or a VLAN, run the undo traffic-policy command to unbind the traffic policy. Then run the undo traffic policy command in the system view to delete the traffic policy. The traffic policy that is not applied can be deleted directly.

  • On switches in a version earlier than V200R009C00, a traffic policy cannot be applied to a VLANIF interface. On the following switches, a traffic policy can be applied to a VLANIF interface:

    • S5720-EI, S5720-HI, and S6720-EI in V200R009C00 and later versions

    • S5730-HI, S6720S-EI, S5731-H, S6730-H, S6730S-H, S5731-S, S5731S-S, S6730-S, S6730S-S, S5731S-H, S5732-H, and S6720-HI in all versions

  • The packets destined for the local switch are sent to the CPU. After functions related to some protocols such as BGP, OSPF, and LACP are enabled, packets of these protocols are also sent to the CPU. If packets sent to the CPU match both CPCAR and a traffic classification rule in a traffic policy, but the actions to be taken conflict with each other, CPCAR or the traffic policy with a higher precedence takes effect. Table 5 describes the precedence between CPCAR and traffic policies.
    Table 5 Precedence between CPCAR and traffic policies

    Product Model

    Precedence Details

    S2700-EI, S2710-SI, S2720-EI, S2750-EI, S3700, S5700-LI, S5700S-LI, S5710-C-LI, S5710-X-LI, S5700-SI, S5700-EI, S5710-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5700-HI, S5710-HI, S5730-SI, S5730S-EI, S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI

    Traffic policies take precedence over CPCAR.

    NOTE:

    For ARP packets to be sent to the CPU in the DHCP and NAC authentication services, CPCAR takes precedence over traffic policies.

    S6720-EI, S6720S-EI, S5720-EI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5730-HI, S6720-HI, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S

    CPCAR takes precedence over traffic policies.

    NOTE:

    On the S5720-EI running V200R007, traffic policies take precedence over CPCAR. On the S5720-EI running other versions, CPCAR takes precedence over traffic policies.
  • In scenarios where both MQC and VLAN mapping are configured for incoming traffic:
    • For the S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-EI, S6700-EI, S6720-EI, or S6720S-EI, if a traffic behavior defines the action of flow ID re-marking, re-marking of inner VLAN tags in QinQ packets, MAC address learning disabling, or redirection of packets to a VPN instance, MQC matches the VLAN ID before mapping.
    • For the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, or S6730S-S, if a traffic behavior defines the action of selective QinQ, VLAN mapping, flow ID re-marking, 802.1p priority re-marking, or MAC address learning disabling, MQC matches the VLAN ID before mapping.
    • For the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, or S5735S-S, if a traffic behavior defines the action of re-marking the 802.1p priority of VLAN packets, re-marking the VLAN tag of VLAN packets, or disabling MAC address learning, MQC matches the VLAN ID before mapping.
    • In other cases, MQC matches the VLAN ID after mapping.
Parent Topic: MQC Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >