Configuring an EDSG Traffic Policy

To distinguish user traffic over networks 1 and 2, create two service groups and configure an EDSG traffic policy for each service group. This section describes how to configure an EDSG traffic policy.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run service-group service-group-name

    A service group is created.

  3. Define an ACL rule for matching the service group.
    1. Run the acl { name advance-acl-name [ advance | [ advance ] number advance-acl-number ] | [ number ] advance-acl-number } [ match-order { config | auto } ] command to create an ACL and enter the ACL view.

      You need to use UCLs. The number of a UCL ranges from 6000 to 9999.

    2. Create an ACL rule based on protocol types.

      1. For TCP, run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | { tcp-flag | syn-flag } { tcp-flag [ mask mask-value ] | established |{ ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | syn | urg ] * } | { urg [ fin | psh | rst | syn | urg ] * } } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

      2. For UDP, run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port operator port-number | destination-port-pool destination-port-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port operator port-number | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

      3. For ICMP, run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

      4. For other protocols, run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ip | ipinip | igmp | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | fragment-type { fragment | non-fragment | non-subseq | fragment-subseq | fragment-spe-first } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | ttl ttl-operation ttl-value | packet-length length-operation length-value ] *

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  4. (Optional) Define an ACL6 rule for matching the service group.
    1. Run the acl ipv6 number ucl-acl6-number [ match-order { auto | config } ] command to create an ACL6 and enter the ACL6 view.

      You need to use UCL6s. The number of a UCL6 ranges from 6000 to 9999.

    2. Create an ACL6 rule based on protocol types.

      1. For TCP, run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | tcp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | fragment | traffic-class traffic-class | time-range time-name ] *

      2. For UDP, run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | udp } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | source-port operator port-number | destination-port operator port-number | fragment | traffic-class traffic-class | time-range time-name ] *

      3. For ICMP, run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | icmpv6 } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | icmp6-type { icmp6-type-name | icmp6-type icmp6-code } | fragment | traffic-class traffic-class | time-range time-name ] *

      4. For other protocols, run:

        rule [ rule-id ] [ name rule-name ] { deny | permit } { protocol | gre | ipv6-esp | ipv6 | ipv6-ah | ospf } [ [ dscp dscp | [ precedence precedence | tos tos ] * ] | source { ipv6-address { source-ipv6-address { prefix-length | source-wildcard } | source-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | destination { ipv6-address { destination-ipv6-address { prefix-length | destination-wildcard } | destination-ipv6-address/prefix-length | any } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } | fragment | traffic-class traffic-class | time-range time-name ] *

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  5. Configure a traffic classifier.
    1. Run traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is configured and the traffic classifier view is displayed.

    2. Run if-match [ ipv6 ] acl { acl-number | name acl-name }

      The traffic classifier references a specified ACL or ACL6.

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  6. Configure a traffic behavior.
    1. Run traffic behavior behavior-name

      A traffic behavior is configured and the traffic behavior view is displayed.

    2. (Optional) Run service-class edsg keep-queue-level

      The device is configured to retain the service class of the original packets after the EDSG service is matched to a traffic behavior.

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  7. Configure an EDSG traffic policy.
    1. Run traffic policy policy-name command

      An EDSG traffic policy is configured and the EDSG traffic policy view is displayed.

    2. Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]

      The traffic behavior is specified for the traffic classifier.

    3. Run commit

      The configuration is committed.

    4. Run quit

      Return to the system view.

  8. Run traffic-policy policy-name { inbound | outbound }

    The EDSG traffic policy is globally applied.

  9. Run commit

    The configuration is committed.

Parent Topic: Configuring EDSG
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >