After a Traffic Policy Is Applied Globally on an S3700, the Rate Limit Is Invalid When a Traffic Policy Is Applied to Interface?

Table 1 lists the web-based management features supported by S series switches.
Table 1 Web-based management features supported by switches Category
Function System management Upgrade, patch loading, PoE, DNS, stacking, viewing log files, and setting the system time, SNMP parameters, and EasyDeploy parameters
NOTE: Switches in V200R002 and later versions support SNMP and EasyDeploy parameter configuration. Interface management Viewing/configuring basic interface attributes and viewing statistics on an interface Service management VLAN, MAC address, STP, voice VLAN, DHCP, ARP, VRRP, and IGMP snooping ACL management Creating/modifying/deleting ACL rules and effective periods QoS Priority mapping, traffic policy, rate limit on an interface, traffic shaping, and congestion management Route management Viewing IPv4 routes, configuring static routes, and setting the preference of static routes Security management Port isolation, static user binding, AAA, 802.1x authentication, and MAC address authentication Tools Ping, Tracert, and VCT S2300 Switch Thunder link com

Assume that the statistics on ping packets from 10.1.1.0/24 need to be collected on the interface Ethernet0/0/1 or GigabitEthernet0/0/1. The configuration is as follows:
# Configuration the acl rule.
[HUAWEI] acl number 3333 [HUAWEI-acl-adv-3333] rule 5 permit icmp source 10.1.1.0 0.0.0.255 [HUAWEI-acl-adv-3333] quit # Configuration the traffic classifier.
[HUAWEI] traffic classifier test [HUAWEI-classifier-test] if-match acl 3333 [HUAWEI-classifier-test] quit
# Configuration the traffic behavior:
[HUAWEI] <strong>traffic behavior test</strong> [HUAWEI-behavior-test] <strong>statistic enable</strong> [HUAWEI-behavior-test] <strong>quit</strong>
# Configuration the traffic policy.
[HUAWEI] traffic policy test [HUAWEI-trafficpolicy-test] classifier test behavior test [HUAWEI-trafficpolicy-test] quit # Apply the traffic policy:

• # Apply the traffic policy test to the S2700 or S3700. [HUAWEI] <strong>interface ethernet0/0/1</strong> [HUAWEI-Ethernet0/0/1] <strong>traffic-policy test inbound</strong>
• # Apply the traffic policy test to the S5700. [HUAWEI] <strong>interface gigabitethernet0/0/1</strong> [HUAWEI-GigabitEthernet0/0/1] <strong>traffic-policy test inbound</strong>

After the configuration, run the display traffic policy statistics interface interface-type interface-number command to view the traffic statistics. To re-collect traffic statistics, run the reset traffic policy statistics interface interface-type interface-number command to clear existing traffic statistics first.
NOTE:

• The S2700 or S3700 can collect statistics only on incoming packets.
• The S5700 can collect statistics on incoming and outgoing packets, but cannot collect statistics on packets sent from its own CPU.

S5700 Switch Thunder link com

Configure Rate Limit on S2700&S3700&S5700? When you configure rate limit, the following configuration is recommended:
· Set the CIR, CBS, and PBS values but not the PIR value.
· CBS = 200 x CIR
· PBS = 2 x CBS = 2 x 200 x CIR = 400 x CIR
The CIR value is expressed in kbit/s, and the CBS and PBS values are expressed in bytes.
Set the rate limit for outgoing packets on the interface to 10 Mbit/s.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] qos lr outbound cir 10240 cbs 2048000
Set the rate limit for incoming packets on the interface to 10 Mbit/s.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] qos lr inbound cir 10240 cbs 2048000
NOTE:
A traffic policy can be used in the physical interface view, Eth-Trunk interface view, and VLAN view.

How to Configure Rate Limit on S6700?
When you configure rate limit, the following configuration is recommended: Set the CIR, CBS, and PBS values but not the PIR value. CBS = 200 x CIR PBS = 2 x CBS = 2 x 200 x CIR = 400 x CIR The CIR value is expressed in kbit/s, and the CBS and PBS values are expressed in bytes. Set the rate limit for outgoing packets on the interface to 10 Mbit/s. [HUAWEI] interface ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] qos lr outbound cir 10240 cbs 2048000Set the rate limit for incoming packets on the interface to 10 Mbit/s. [HUAWEI] interface ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] qos lr inbound cir 10240 cbs 2048000 S6700 Switch Thunder link com

The modular switches(such as S2309TP-EI-AC) support rate limiting for inbound traffic on an Eth-Trunk. This function can be configured using the qos car command. After this command is executed:
· If the member interfaces of the Eth-Trunk are located on different LPUs, the configured rate limit applies to each interface individually.
· If the member interfaces of the Eth-Trunk are located on the same LPU, the member interfaces share the bandwidth specified by the rate limit. The bandwidth is distributed on the member interfaces randomly.

Fault Symptom The outbound interface of the switch joins a VLAN in untagged mode. When the remark 802.1p command is configured on the outbound interface, the configuration is invalid.
Cause Analysis The configuration of the S5700(such as S5700-28P-LI-AC)is as follows:
#
traffic classifier test
if-match any
traffic behavior test
remark 8021p 2
traffic policy test
classifier test behavior test
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
traffic-policy test outbound
#
The outbound interface joins a VLAN in untagged mode, so VLAN tags are removed from packets sent by the interface.
Conclusion To apply traffic policy defining remark vlan to the outbound interface, ensure that the interface joins a VLAN in tagged mode.

This is the method of configuring Switch:
Configure QoS CAR on an interface to implement rate limiting in the inbound direction. Alternatively, configure a traffic policy with an ACL-based traffic classifier to limit the rate of packets matching the ACL.
QoS CAR cannot be applied to outbound traffic, but you can limit the rate of outbound traffic using a traffic policy or traffic shaping.

HI,

You shall do the same with MPF. Create a regex filter to identify the types of files you would like to block,

e.g. 1
2
3
4
5 regex archive-type1 ".*\.([Zz][Ii][Pp]'[Tt][Aa][Rr]'[Tt][Gg][Zz]) HTTP/1.[01]"
regex archive-type2 ".*\.([Tt][Aa][Rr].([Gg][Zz]'[Bb][Zz]2)'7[Zz]) HTTP/1.[01]"
regex doc-type1 ".*\.([Dd][Oo][Cc]'[Xx][Ll][Ss]'([Pp]){2}[Tt]) HTTP/1.[01]"
regex doc-type2 ".*\.([Pp][Dd][Ff]'[Oo][Dd][Tt]) HTTP/1.[01]"
regex exe-type1 ".*\.([Ee][Xx][Ee]'[Vv][Bb][Ss]'[Vv][Bb][Aa]) HTTP/1.[01]"
Create regex for Content-Type Application/*

1
2 regex application-header "application/*"
regex content-type "Content-Type"
Classify regex that matches the extension types
class-map type regex match-any ext-types
match regex doc-type1
match regex doc-type2
match regex archive-type2
match regex archive-type1
match regex exe-type1

Capture the http response that contains content-type and application/* header
2
class-map type inspect http match-all http-header-response
match response header regex content-type regex application-header
Capture http request packet that matches the class ext-types
1
2 class-map type inspect http match-all http-request
match request uri regex class ext-types

HTTP is the interesting traffic
1
2
3
4 access-list http-traffic extended permit tcp any any eq www
access-list http-traffic extended permit tcp any any eq 8080
class-map http-traffic-class
match access-list http-traffi

Create policy to prevent download attempt via http request
1
2
3
4
5
6
7 policy-map type inspect http block-http-download
parameters
protocol-violation action drop-connection log
class http-header-response
drop-connection log
class http-request
reset log

Apply policy on the interesting traffic
1
2
3 policy-map inside-http
class http-traffic-class
inspect http block-http-download Apply the policy onto interface to take effect
1 service-policy inside-http interface inside
Hope this would help.