Configuring a DAA Service Policy

This section describes how to configure a DAA service policy.

Procedure

Run system-view
The system view is displayed.

Configure a DAA traffic policy and globally apply it.

Run acl { name ucl-acl-name [ ucl | [ ucl ] number ucl-acl-number ] | [ number ] ucl-acl-number } [ match-order { auto | config } ]
An ACL is created and its view is displayed.

Run the corresponding command to create an ACL rule based on the protocol type.

**Table 1** Creating an ACL rule
Protocol Type	Command
TCP	rule [ rule-id ] [ name rule-name ] { deny \| permit } { protocol \| tcp } [ [ dscp dscp \| [ precedence precedence \| tos tos ] ^* ] \| source { { ip-address { source-ip-address { source-ip-address-mask \| 0 } \| any } \| source-pool source-pool-name } \| any \| [ service-group { service-group-name \| any } \| user-group { user-group-name \| any } ] } \| destination { { ip-address { destination-ip-address { destination-ip-address-mask \| 0 } \| any } \| destination-pool destination-pool-name } \| any \| [ service-group { service-group-name \| any } \| user-group { user-group-name \| any } ] } \| source-port operator port-number \| destination-port operator port-number \| syn-flag { syn-flag [ mask mask-value ] \| { bit-match { established \| fin \| syn \| rst \| psh \| ack \| urg \| ece \| crw \| ns } } } \| fragment-type { fragment \| non-fragment \| non-subseq \| fragment-subseq \| fragment-spe-first } \| time-range time-name \| vlan vlan-id \| inner-vlan cvlan-id ] ^*
UDP	rule [ rule-id ] [ name rule-name ] { deny \| permit } { protocol \| udp } [ [ dscp dscp \| [ precedence precedence \| tos tos ] ^* ] \| source { { ip-address { source-ip-address { source-ip-address-mask \| 0 } \| any } \| source-pool source-pool-name } \| any \| [ service-group { service-group-name \| any } \| user-group { user-group-name \| any } ] } \| destination { { ip-address { destination-ip-address { destination-ip-address-mask \| 0 } \| any } \| destination-pool destination-pool-name } \| any \| [ service-group { service-group-name \| any } \| user-group { user-group-name \| any } ] } \| source-port operator port-number \| destination-port operator port-number \| fragment-type { fragment \| non-fragment \| non-subseq \| fragment-subseq \| fragment-spe-first } \| time-range time-name \| vlan vlan-id \| inner-vlan cvlan-id ] ^*
ICMP	rule [ rule-id ] [ name rule-name ] { deny \| permit } { protocol \| icmp } [ [ dscp dscp \| [ precedence precedence \| tos tos ] ^* ] \| source { { ip-address { source-ip-address { source-ip-address-mask \| 0 } \| any } \| source-pool source-pool-name } \| any \| [ service-group { service-group-name \| any } \| user-group { user-group-name \| any } ] } \| destination { { ip-address { destination-ip-address { destination-ip-address-mask \| 0 } \| any } \| destination-pool destination-pool-name } \| any \| [ service-group { service-group-name \| any } \| user-group { user-group-name \| any } ] } \| icmp-type { icmp-name \| icmp-type icmp-code } \| fragment-type { fragment \| non-fragment \| non-subseq \| fragment-subseq \| fragment-spe-first } \| time-range time-name \| vlan vlan-id \| inner-vlan cvlan-id ] ^*
Other protocols	rule [ rule-id ] [ name rule-name ] { deny \| permit } { zero \| protocol \| gre \| ip \| ipinip \| igmp \| ospf } [ [ dscp dscp \| [ precedence precedence \| tos tos ] ^* ] \| source { { ip-address { source-ip-address { source-ip-address-mask \| 0 } \| any } \| source-pool source-pool-name } \| any \| [ service-group { service-group-name \| any } \| user-group { user-group-name \| any } ] } \| destination { { ip-address { destination-ip-address { destination-ip-address-mask \| 0 } \| any } \| destination-pool destination-pool-name } \| any \| [ service-group { service-group-name \| any } \| user-group { user-group-name \| any } ] } \| fragment-type { fragment \| non-fragment \| non-subseq \| fragment-subseq \| fragment-spe-first } \| time-range time-name \| vlan vlan-id \| inner-vlan cvlan-id ] ^*

Run commit
The configuration is committed.
Run quit
Return to the system view.
(Optional) Run acl ipv6 number ucl-acl6-number [ match-order { auto | config } ]
An ACL6 is created and its view is displayed.

(Optional) Run the corresponding command to create an ACL6 rule based on the protocol type.

**Table 2** Creating an ACL6 rule
Protocol Type	Command
TCP	rule [ rule-id ] [ name rule-name ] { permit \| deny } { protocol \| tcp } [ [ dscp dscp \| [ precedence precedence \| tos tos ] ^* ] \| destination { destination-ipv6-address prefix-length \| destination-ipv6-address/prefix-length \| any } \| destination-port operator port \| fragment \| source { source-ipv6-address prefix-length \| source-ipv6-address/prefix-length \| any } source-pool source-pool-name } \| source-port operator port \| tcp-flag { tcp-flag [ mask mask-value ] \| established \| { ack \| fin \| psh \| rst \| syn \| urg } ^* } \| time-range time-name \| [ vpn-instance vpn-instance-name \| vpn-instance-any ] ] ^*
UDP	rule [ rule-id ] [ name rule-name ] { permit \| deny } { protocol \| udp } [ [ dscp dscp \| [ precedence precedence \| tos tos ] ^* ] \| destination { destination-ipv6-address prefix-length \| destination-ipv6-address/prefix-length \| any } \| destination-port operator port \| fragment \| source { source-ipv6-address prefix-length \| source-ipv6-address/prefix-length \| any } source-pool source-pool-name } \| source-port operator port \| time-range time-name \| [ vpn-instance vpn-instance-name \| vpn-instance-any ] ] ^*
ICMPv6	rule [ rule-id ] [ name rule-name ] { permit \| deny } { protocol \| icmpv6 } [ [ dscp dscp \| [ precedence precedence \| tos tos ] ^* ] \| destination { destination-ipv6-address prefix-length \| destination-ipv6-address/prefix-length \| any } \| fragment \| icmp6-type { icmp6-type-name \| icmp6-type [ to icmp6-type-end ] [ icmp6-code ] } \| source { source-ipv6-address prefix-length \| source-ipv6-address/prefix-length \| any } source-pool source-pool-name } \| time-range time-name \| [ vpn-instance vpn-instance-name \| vpn-instance-any ] ] ^*
Other protocols	rule [ rule-id ] [ name rule-name ] { permit \| deny } { hoport [ option-code option-value ] \| 1 \| 5 \| protocol \| gre \| ipv6 \| ipv6-frag \| ipv6-ah \| ipv6-esp \| ospf \| 7-16 \| 18-42 \| { 43 \| ipv6-routing } [ routing-type routing-number ] \| 44-57 \| 59 \| { 60 \| ipv6-destination } [ option-code option-value ] \| 61-255 } [ destination { destination-ipv6-address prefix-length \| dest-ipv6-addr-prefix \| any } \| fragment \| { source { source-ipv6-address prefix-length \| src-ipv6-addr-prefix \| any } \| source-pool source-pool-name } \| time-range time-name \| [ dscp dscp \| [ precedence { precedence \| critical \| flash \| flash-override \| immediate \| internet \| network \| priority \| routine } \| tos { tos \| max-reliability \| max-throughput \| min-delay \| min-monetary-cost \| normal } ] ^* ] \| [ vpn-instance vpn-instance-name \| vpn-instance-any ] ] ^*

(Optional) Run commit
The configuration is committed.
(Optional) Run quit
Return to the system view.

Configure a traffic classifier.
1. Run traffic classifier classifier-name [ operator { and | or } ]
  A traffic classifier is configured and the traffic classifier view is displayed.
2. Run if-match [ ipv6 ] acl { acl-number | name acl-name }
  The traffic classifier references a specified ACL or ACL6.
3. Run commit
  The configuration is committed.
4. Run quit
  Return to the system view.
Configure a traffic behavior.
1. Run traffic behavior behavior-name
  A traffic behavior is configured and the traffic behavior view is displayed.
2. Run tariff-level tariff-level
  A DAA tariff level is configured.
3. Run car
  DAA traffic policing is configured for the traffic behavior.
4. Run traffic-statistic
  Traffic statistics collection is enabled for DAA services.
5. Run commit
  The configuration is committed.
6. Run quit
  Return to the system view.
Define a DAA traffic policy.
1. Run traffic policy policy-name
  A DAA traffic policy is configured and its view is displayed.
2. Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]
  A traffic behavior is specified for the traffic classifier in the DAA traffic policy. classifier-name and behavior-name specify the configured traffic classifier and traffic behavior, respectively.
3. Run commit
  The configuration is committed.
4. Run the quit
  Return to the system view.
5. Run accounting-service-policy policy-name
  The DAA traffic policy is globally applied.

Configure a DAA service policy.

**Table 3** Procedure for configuring a DAA service policy
Objective	Task	Description
Create a A DAA service policy and enter the DAA service policy view.	value-added-service policy service-policy-name daa	Mandatory. Creating a DAA service policy and entering its view are the prerequisites for performing the following operations.
Configure an accounting scheme for the DAA service policy	accounting-scheme accounting-scheme-name	Mandatory. After an accounting scheme template is referenced by a value-added service policy template, the service uses the accounting scheme in the accounting scheme template. An accounting scheme can be configured either in a domain or in a DAA service policy template. The priority of an accounting scheme configured in a DAA service policy template is higher than that configured in a domain.
Enable unified accounting for DAA services.	accounting-together enable	Optional. When users access network services with different bandwidth requirements, such as gaming, FTP, and VoD services, these network services are planned as different DAA services for rate limiting. Configure the unified accounting service which allows the service to interact with the accounting server to implement traffic reporting and service quota management.
Configure the QoS resource type requested by downstream DAA services.	rate-limit-mode	Optional. After CAR is performed on a DAA service flow, packets in the DAA service flow are re-marked with different priorities and are scheduled into SQs. To meet this requirement, install an enhanced TM subcard on a specified board and run the rate-limit-mode car outbound command to configure the car mode for downstream DAA services.
Configure DAA user traffic to match a DAA service policy.	accounting-service-policy { inbound \| outbound } { auto \| disable \| enable }	Optional. To implement refined control over DAA functions and save DAA QoS resources, for example, run the accounting-service-policy inbound disable command to disable upstream DAA user traffic from matching a DAA service policy, preventing upstream QoS resource application.
Enable rate limit separation for DAA services.	traffic-separate enable	Optional. After rate limit separation is enabled for DAA services in a DAA service policy template, the service traffic bandwidth of DAA users using this template is no longer limited by the user bandwidth.
Enable DAA service traffic to be counted into user traffic.	user accounting-together enable	Optional. You can run this command to count DAA user service traffic into user traffic.
Configure separate traffic statistics collection for dual-stack DAA users based on user queues.	user accounting dual-stack separate user-queue	Optional. When CAR rate limit is performed for DAA services and SQs are configured to limit user rates, statistics based on count IDs are not performed for traffic after CAR rate limit if the traffic-separate enable command is run to configure DAA service separation. In this situation, separate traffic statistics are performed for dual-stack DAA users. As a result, user service traffic cannot be counted into DAA service traffic. To perform separate traffic statistics for dual-stack DAA users based on user queues, run the user accounting dual-stack separate user-queue command.
Configure the accounting status or IP type for a specified DAA tariff level.	tariff-level-cfg level { accounting off \| ip-type ipv6 }	Optional. DAA service traffic statistics are collected and reported based on the IP type configured for each level, which is irrelevant to the traffic type that actually matches the specific level. Therefore, when deploying dual-stack DAA services, you need to ensure that the ACL type of each service is consistent with the IP type configured for the DAA tariff level to prevent IPv4 and IPv6 traffic from matching the same level.
Configure a tariff level and a QoS profile for DAA services	tariff-level level qos-profile qos-profile-name	Mandatory. To limit the rate of DAA user traffic based on the parameters set in the QoS profile for a tariff level, run the tariff-level qos-profile command.
Configure the user group to be bound to a service policy.	user-group user-group-name	Mandatory. Reference an ACL user group to the value-added service template. NOTE: You can configure a user group using any of the following methods: Configure a user group in a domain. Configure a user group using a DAA service policy template. Deliver a user group through the RADIUS server. The user group configured using a DAA service policy template has the highest priority, followed by the one delivered by the RADIUS server, and then the one configured in a domain. The DAA service tariff level used by users must be the same as the DAA ACL tariff level planned for the user group to which the users belong.

Run quit
Return to the system view.
(Optional) Run radius-server coa-request hw-policy-name daa same-policy reply-ack
The device is enabled to respond with an ACK message when the RADIUS server delivers the same DAA service policy as that in the domain using the HW-Policy-Name (26-95) attribute in a CoA message in unified DAA accounting scenarios.

This command can take effect only after the accounting-together enable command is run.
(Optional) Run radius-server coa-request hw-policy-name daa coexist-with-user
Both the HW-Policy-Name (26–95) attribute (DAA value-added service attribute) and other user attributes in a CoA message are allowed to take effect at the same time.
(Optional) Run value-added-service tariff-queue-mapping { [ cs7 ] | [ cs6 ] | [ ef ] | [ af4 ] | [ af3 ] | [ af1 ] | [ be ] | [ af2 ] } #8-8
The mapping between DAA tariff levels and flow queues is configured.
(Optional) Run value-added-service quota-out { online | offline }
A policy is configured for the scenario where the real-time accounting response packet sent after the DAA accounting service quota is exhausted does not carry a new quota.