Cisco Systems 15310-CL Configuring Access Control Lists on ML-Series Card, Understanding ACLs

Page 163

C H A P T E R 13

Configuring Access Control Lists on the

ML-Series Card

This chapter describes the access control list (ACL) features built into the ML-Series card and contains the following major sections:

Understanding ACLs, page 13-1

ML-Series ACL Support, page 13-1

Modifying ACL TCAM Size, page 13-5

Understanding ACLs

ACLs provide network control and security, allowing you to filter packet flow into or out of ML-Series interfaces. ACLs, which are sometimes called filters, allow you to restrict network use by certain users or devices. ACLs are created for each protocol and are applied on the interface for either inbound or outbound traffic. ACLs do not apply to outbound control plane traffic. Only one ACL filter can be applied per direction per subinterface.

When creating ACLs, you define criteria to apply to each packet processed by the ML-Series card; the ML-Series card decides whether to forward or block the packet based on whether or not the packet matches the criteria in your list. Packets that do not match any criteria in your list are automatically blocked by the implicit “deny all traffic” criteria statement at the end of every ACL.

ML-Series ACL Support

Both control-plane and data-plane ACLs are supported on the ML-Series card:

Control-plane ACLs: ACLs used to filter control data that is processed by the CPU of the ML-Series card (for example, distribution of routing information, Internet Group Membership Protocol (IGMP) joins, and so on).

Data-plane ACLs: ACLs used to filter user data being routed or bridged through the ML Series in hardware (for example, denying access to a host, and so on). These ACLs are applied to an interface in the input or output direction using the ip access-groupcommand.

The following apply when using data-plane ACLs on the ML-Series card:

ACLs are supported on all interface types, including bridged interfaces.

Reflexive and dynamic ACLs are not supported on the ML-Series card.

Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5

 

78-18133-01

13-1

 

 

 

Image 163
Contents Text Part Number Americas HeadquartersCopyright 2007-2009 Cisco Systems, Inc. All rights reserved RPR Startup Configuration File Iii Configuring POS Interface Framing ModeUnderstanding VLANs Configuring Encapsulation over EtherChannel or POS Channel IP ACLs Vii Role of Sonet CircuitsViii Configuration GuidelinesUsing Technical Support C-1 Page 11-7 11-311-4 11-514-22 14-1314-17 14-1811-12 10-510-6 11-1117-7 13-317-8 Date PrefaceRevision History This section provides the following informationAudience Document ObjectivesRelated Documentation Italic Document ConventionsConvention Application BoldfaceWarnung Wichtige Sicherheitshinweise Bewaar Deze InstructiesAviso Instruções Importantes DE Segurança Avvertenza Importanti Istruzioni Sulla SicurezzaPage GEM Disse Anvisninger Viii Obtaining Optical Networking Information Where to Find Safety and Warning InformationCisco Optical Networking Product Documentation CD-ROM Page ML-Series Card Description Overview of the ML-Series CardIRB ML-Series Feature ListBundling the two POS ports LEX encapsulation only Cisco IOS Release 12.228SV Key ML-Series FeaturesCisco IOS GFP-F FramingRmon Link Aggregation FEC and POSTL1 Refresh CTC Operations on the ML-Series CardDisplaying ML-Series POS Statistics in CTC ML-Series POS Statistics Fields and ButtonsButton Description Displaying ML-Series Ethernet Statistics in CTCML-Series Ethernet Statistics Fields and Buttons CTC Displaying J1 Path Trace Displaying Sonet AlarmsProvisioning Sonet Circuits 78-18133-01 Page Hardware Installation Initial Configuration of the ML-Series CardCisco IOS on the ML-Series Card Telnetting to the Node IP Address and Slot Number Opening a Cisco IOS Session Using CTCCTC Node View Showing IP Address Telnetting to a Management PortRJ-11 Pin RJ-45 Pin Connecting a PC or Terminal to the Console PortML-Series IOS CLI Console Port RJ-11 to RJ-45 Console Cable AdapterStartup Configuration File Router enable PasswordsConfiguring the Management Port Command PurposeNvram Configuring the HostnameClick the IOS startup config button Loading a Cisco IOS Startup Configuration File Through CTCDatabase Restore of the Startup Configuration File Cisco IOS Command ModesEnter the line console Mode What You Use It For How to Access PromptEnter the configure terminal Interface fastethernet 0 forGetting Help Using the Command ModesRouter# configure ? ExitPage General Interface Guidelines Configuring Interfaces on the ML-Series CardMAC Addresses MLSeries# show interfaces fastethernet Interface Port IDMLSeries# configure terminal Basic Interface ConfigurationMLSeriesconfig# interface fastethernet number Configuring the Fast Ethernet Interfaces Basic Fast Ethernet and POS Interface ConfigurationConfiguring the POS Interfaces Hdlc Monitoring Operations on the Fast Ethernet InterfacesFCR Example 4-3 show controller Command OutputDaytona# show run interface fastethernet Example 4-4 show run interface Command OutputUnderstanding POS on the ML-Series Card Configuring POS on the ML-Series CardAvailable Circuit Sizes and Combinations Mbps STS-1 STS-1-1v STS-1-2v J1 Path Trace, and Sonet AlarmsLcas Support Ccat High Order Vcat High OrderGFP-F Framing Hdlc Framing Configuring the POS InterfaceEncapsulations LEX default Cisco Hdlc CRC Sizes Bit default None FCS disabledAdmindown Configuring POS Interface Framing ModeFraming mode changes on POS ports are Allowed only when the interface is shut downGFP default-The ML-Series card supports Sets the framing mode employed by the ONSNot a keyword choice in the command. The no Form of the command sets the framing modeConfiguring Sonet Alarms Sonet AlarmsAll -All alarms/signals Configuring Sonet Delay TriggersMonitoring and Verifying POS Hdlc Page STP Features Configuring STP and Rstp on the ML-Series CardThese sections describe how the spanning-tree features work Supported STP Instances STP OverviewBridge Protocol Data Units Election of the Root Switch Bit Bridge ID, Switch Priority, and Extended System IDSpanning-Tree Timers Switch Priority ValueSpanning-Tree Interface States Creating the Spanning-Tree TopologySpanning-Tree Interface States Blocking StateForwarding State Disabled StateListening State Learning StateSTP and Ieee 802.1Q Trunks Spanning-Tree Address ManagementSpanning Tree and Redundant Connectivity Accelerated Aging to Retain Connectivity Rstp FeaturesSupported Rstp Instances Is Port Included Port Roles and the Active TopologyPort State Comparison Rapid Convergence Proposal and Agreement Handshaking for Rapid Convergence Synchronization of Port RolesBit Function Bridge Protocol Data Unit Format and ProcessingRstp Bpdu Flags Processing Superior Bpdu Information Topology ChangesProcessing Inferior Bpdu Information Interoperability with Ieee 802.1D STP Configuring STP and Rstp FeaturesFeature Default Setting Default STP and Rstp ConfigurationDisabling STP and Rstp Configuring the Port Priority Configuring the Root SwitchPort-channel-number Configuring the Switch Priority of a Bridge Group Configuring the Path CostConfiguring the Hello Time Configuring the Maximum-Aging Time for a Bridge Group Configuring the Forwarding-Delay Time for a Bridge GroupVerifying and Monitoring STP and Rstp Status Displays brief summary of STP or Rstp information Commands for Displaying Spanning-Tree StatusExample 6-1 show spanning-tree Commands Displays detailed STP or Rstp informationPage Understanding VLANs Configuring VLANs on the ML-Series CardConfiguring Ieee 802.1Q Vlan Encapsulation MLSeriesconfig-subif# end Ieee 802.1Q Vlan ConfigurationReturns to privileged Exec mode Optional Saves your configuration changes toBridging Ieee 802.1Q VLANs Monitoring and Verifying Vlan Operation Example 7-2 Output for show vlans CommandML-Series#show vlans Page Understanding Ieee 802.1Q Tunneling Ieee 802.1Q Tunnel Ports in a Service-Provider Network FCS Ieee 802.1Q Tunneling and Compatibility with Other Features Configuring Ieee 802.1Q TunnelingConfiguring an Ieee 802.1Q Tunneling Port Ieee 802.1Q Example Untagged will be switched based on this bridge-group. OtherDisplays the tunnel ports on the switch Optional Saves your entries in the configuration fileExample 8-2 MLSeries B Configuration VLAN-Transparent Services VLAN-Specific ServicesVLAN-Transparent Service Versus VLAN-Specific Services Example 8-3applies to ML-Series card a Example 8-3 ML-Series Card a ConfigurationExample 8-5applies to ML-Series card C Example 8-4 ML-Series Card B ConfigurationExample 8-5 ML-Series Card C Configuration Example 8-4applies to ML-Series card BUnderstanding Layer 2 Protocol Tunneling Configuring Layer 2 Protocol TunnelingDefault Layer 2 Protocol Tunneling Configuration Default Layer 2 Protocol Tunneling ConfigurationLayer 2 Protocol Tunneling Configuration Guidelines 2shows the default Layer 2 protocol tunneling configurationConfiguring Layer 2 Tunneling on a Port Monitoring and Verifying Tunneling Status Configuring Layer 2 Tunneling Per-VLANUnderstanding Link Aggregation Configuring Link Aggregation on the ML-Series CardConfiguring Fast EtherChannel Configuring Link AggregationCisco IOS Configuration Fundamentals Configuration Guide EtherChannel Configuration ExampleAssigns an IP address and subnet mask to the POS Configuring POS ChannelConfigure one POS channel on the ML-Series card Creates the POS channel interface. You canPOS Channel Configuration Example Understanding Encapsulation over FEC or POS Channel Configuring Encapsulation over EtherChannel or POS ChannelEncapsulation over EtherChannel Example Configuration mode and enable otherSupported interface commands to meet Example 9-5 MLSeries a ConfigurationMonitoring and Verifying EtherChannel and POS Example 9-6 MLSeries B ConfigurationPort Load Balancing on the ML-Series cardsFor the Frame XOR Result Port ChannelEtherChannel Used MemberInterface for FrameFourth SecondFirst ThirdUsed Member This chapter includes the following major sections Configuring IRB on the ML-Series CardCisco IOS Command Reference publication Understanding Integrated Routing and Bridging10-2 Configuring IRB10-3 IRB Configuration Example10-4 Example 10-1 Configuring MLSeries aExample 10-2 Configuring MLSeries B Monitoring and Verifying IRB10-5 10-6 Field Description11-1 Configuring Quality of Service on the ML-Series Card11-2 IP Precedence and Differentiated Services Code PointUnderstanding QoS Priority Mechanism in IP and Ethernet11-3 Ethernet CoSClassification ML-Series QoS11-4 Marking and Discarding with a Policer Policing11-5 Scheduling Queuing11-6 11-7 Control Packets and L2 Tunneled Protocols11-8 Egress Priority MarkingIngress Priority Marking QinQ ImplementationFlow Control Pause and QoS QoS on RPR11-9 Creating a Traffic Class Configuring QoS11-10 11-11 Creating a Traffic PolicyMaximum of 40 alphanumeric characters Syntax of the class command isPolicy-map policy-nameno policy-map policy-name Class class-map-name no class class-map-name11-13 11-14 Command11-15 Attaching a Traffic Policy to an InterfaceTraffic class Monitoring and Verifying QoS ConfigurationConfiguring CoS-Based QoS Displays all configured traffic policies11-17 QoS Configuration ExamplesTraffic Policy Created Example Traffic Classes Defined Example11-18 Match spr1 Interface Example Example 11-6 Class Map Match All Command ExampleExample 11-7 Class Map Match Any Command Example Example 11-8 Class Map SPR Interface Command Example11-20 Example 11-9 ML-Series VoIP CommandsML-Series VoIP Example ML-Series Policing ExampleML-Series CoS-Based QoS Example Example 11-10 ML-Series Policing CommandsRouterconfig# class-map match-all policer Routerconfig# policy-map policef0ML-Series CoS Example 11-2211-23 Default Multicast QoSMulticast Priority Queuing QoS Restrictions Configuring Multicast Priority Queuing QoS11-24 11-25 ML-Series Egress Bandwidth Example QoS not Configured on Egress11-26 Bandwidth 11-2711-28 Understanding CoS-Based Packet StatisticsFast Ethernet Statistics Collected Interface Subinterface Vlan11-29 Configuring CoS-Based Packet StatisticsMLSeries# show interface pos0 cos Understanding IP SLA11-30 MLSeries# show interface fastethernet 0 cosIP SLA Restrictions on the ML-Series IP SLA on the ML-Series11-31 11-32 Understanding SDM Regions Understanding the SDM12-1 Lookup Type Configuring SDMConfiguring SDM Regions Default SizeEntries Configuring Access Control List Size in TcamTask Command Monitoring and Verifying SDM12-4 13-1 Configuring Access Control Lists on ML-Series CardUnderstanding ACLs ML-Series ACL Support13-2 IP ACLsNamed IP ACLs User GuidelinesCreating Numbered Standard and Extended IP ACLs Creating IP ACLs13-3 13-4 Creating Named Standard IP ACLsCreating Named Extended IP ACLs Control Plane Only Applying the ACL to an InterfaceApplying ACL to Interface Controls access to an interfaceModifying ACL Tcam Size 13-513-6 Understanding RPR Configuring Resilient Packet Ring on ML-Series Card14-1 Packet Handling Operations Role of Sonet Circuits14-2 14-3 Ring Wrapping14-4 RPR Framing ProcessRPR Frame for ML-Series Card DA-MAC and 0x00 for Unknown DA-MACRPR as the source 14-5CTM and RPR Configuring RPRMAC Address and Vlan Support RPR QoSCTC Circuit Configuration Example for RPR Configuring CTC Circuits for RPR14-7 Three-Node RPR Example 14-814-9 14-10 Configures a station ID. The user must configure aOptional Sets the RPR ring wrap mode to either wrap Immediate delayed14-11 Assigning the ML-Series Card POS Ports to the SPR Interface14-12 14-13 14-14 RPR Cisco IOS Configuration ExampleExample 14-1 SPR Station-ID 1 Configuration Example 14-2 SPR Station-ID 2 ConfigurationExample 14-3 SPR Station-ID 3 Configuration CRC Threshold Configuration and Detection14-15 Example 14-5 Example of show run interface spr 1 Output Monitoring and Verifying RPR14-16 Example 14-4 Example of show interface spr 1 Output14-17 Add an ML-Series Card into an RPRThree-Node RPR After the Addition 14-1814-19 Adding an ML-Series Card into an RPR14-20 Cisco ONS 15454 Procedure GuideEnables the port Endpoint of the first newly created circuit14-21 Stop. You have completed this procedureDelete an ML-Series Card from an RPR Endpoint of the second newly created circuitThree-Node RPR Before the Deletion 14-2214-23 Deleting an ML-Series Card from an RPRLog into Adjacent Node 1 with CTC Double-click the ML-Series card in Adjacent Node14-24 Cisco Proprietary RPR Shortest Path Configuring Cisco Proprietary RPR KeepAliveConfiguring Shortest Path and Topology Discovery Cisco Proprietary RPR KeepAlive14-26 Redundant InterconnectMonitoring and Verifying Shortest Path andTopolgy Discovery Redundant Interconnect is only supported on 454 platformsUnderstanding Security Configuring Security for the ML-Series Card15-1 Understanding SSH Secure Login on the ML-Series CardDisabling the Console Port on the ML-Series Card Secure Shell on the ML-Series CardThis section has configuration information Configuring SSHConfiguration Guidelines Setting Up the ML-Series Card to Run SSH15-4 Configuring the SSH ServerRouter config# ip ssh timeout Displaying the SSH Configuration and StatusRouter # configure terminal Router config# ip ssh version 1Radius on the ML-Series Card Radius Relay Mode15-6 Configuring Radius Relay Mode Radius Stand Alone Mode15-7 Understanding Radius Configuring Radius15-8 Identifying the Radius Server Host Default Radius Configuration15-9 15-10 Switchconfig# radius-server host host1 Configuring AAA Login AuthenticationRouter# configure terminal Enter global configuration mode Router config# aaa new-model Enable AAARouter config# line console tty Router config# aaa authentication15-12 15-13 Router config# end Return to privileged Exec modeRouter# show running-config Verify your entries Defining AAA Server GroupsRouter # show running-config Router config# aaa group serverRouter config-sg-radius# server Router config-sg-radius# end15-15 Radius15-16 Starting Radius AccountingConfiguring Settings for All Radius Servers Configuring a nas-ip-address in the Radius Packet15-17 15-18 Default is 0 the range is 1 to 1440 minutesDeadtime minutes Marked as dead, the skipping will not take place15-19 Send accounting authentication15-20 Displaying the Radius ConfigurationUnderstanding Bridging Configuring Bridging on the ML-Series Card16-1 16-2 Configuring BridgingMonitoring and Verifying Bridging For any statically configured forwarding entries16-3 Brief displays summary information about spanning tree Displays detailed information about spanning treeBridge-group-number restricts the spanning tree information To specific bridge groups17-1 CE-100T-8 Ethernet OperationCE-100T-8 Overview SonetAutonegotiation, Flow Control, and Frame Buffering CE-100T-8 Ethernet Features17-2 17-3 Ethernet Link Integrity SupportIeee 802.1Q CoS and IP ToS Queuing Enhanced State Model for Ethernet and Sonet Ports17-4 IP ToS Priority Queue Mappings 17-5CoS Priority Queue Mappings 17-6 CE-100T-8 Sonet Circuits and FeaturesRmon and Snmp Support Statistics and Counters17-7 Ccat High Order Vcat High Order Vcat Low OrderNumber of STS-3c Circuits Maximum Number of STS-1 Circuits Maximum Number of STS-1-2v Circuits17-8 CE-100T-8 Maximum Service DensitiesCE-100T-8 STS/VT Allocation Tab 7x=1-12 6x=1-14 5x=1-16 =1-2117-9 CE-100T-8 Vcat Characteristics17-10 CE-100T-8 POS Encapsulation, Framing, and CRC17-11 CE-100T-8 Loopback, J1 Path Trace, and Sonet Alarms17-12 Command Reference for the ML-Series Card Rstp Related Commands bridge-groupDrpri-rstp IeeeClear counters Related Commands show interfaceRouter# clear counters Clock timezone Syntax Description Defaults Command Modes Usage GuidelinesNo clock auto Clock summertimeInterface spr Defaults Command ModesRelated Commands shutdown No pos mode gfp fcs-disabledMLSeriesconfig-if # pos mode gfp fcs-disable No pos pdi holdoff time Related Commands No pos report alarmPos trigger defects Related Commands pos trigger delay Syntax Description DefaultsNon pos trigger defects condition Command is 50 milliseconds No pos trigger delay timeTime Delay time in milliseconds, 200 to Default value is 200 millisecondsImmediate No pos vcat defect immediate delayedDelayed Parameter DescriptionMLSeries# show controller pos 0 Interface POS0 Show controller pos interface-numberdetailsRelated Commands show interface pos Clear counters Related Commands show controller pos Clear counters Use this command to display the status of the POS interfaceShow interface pos interface-number MLSeries# show ons alarm Show ons alarm78-18133-01 Sts EqptVcg MLSeries# show ons alarm defect sts Related Commands show controller pos Show ons alarm failuresML-Series#show ons alarm failure port MLSeries# show ons alarm failure eqptMLSeries# show ons alarm failure sts Interface spr Spr station-id Spr wrap Assigns the POS interface to the SPR interfacePort-based Related Commands interface sprNo spr load-balance auto port-based AutoSpr-intf-id Spr wrap Configures a station IDDefaultsN/A Following example sets an ML-Series card SPR station ID toWraps RPR traffic after the carrier delay time expires Spr wrap immediate delayedInterface spr Spr-intf-id Spr station-id Unsupported Privileged Exec Commands Unsupported CLI Commands for the ML-Series CardUnsupported Global Configuration Commands Page Unsupported POS Interface Configuration Commands Unsupported FastEthernet Interface Configuration Commands Unsupported Port-Channel Interface Configuration Commands Rate-limit Random-detect Timeout Tx-ring-limit Unsupported BVI Interface Configuration CommandsGathering Information About Your Internetwork Using Technical SupportGetting the Data from Your ML-Series Card Providing Data to Your Technical Support Representative Page IN-5 IN-6 IS,AINSIN-7 CRC RPRRstp SDM SSHIN-9 Rstp STPGFP-F See also framingIN-10 IN-11 LcasRPR SDM POSIN-12 IN-13 Rstp RmonIN-14 See also Bpdu SnmpIN-15 Vcat TcamIN-16 VTP Layer 2 protocol tunneling Vty Configuring as Layer 2 tunnel Configuring Ieee 802.1QCustomer numbering in service-provider SDM STP and Rstp statusIN-18
Related manuals
Manual 8 pages 60.19 Kb Manual 352 pages 59.1 Kb

15310-CL, 15310-MA specifications

Cisco Systems has established itself as a leader in the networking domain, offering a wide array of solutions to meet the needs of modern businesses. Among its impressive product lineup are the Cisco 15310-CL and 15310-MA routers, designed to provide advanced network performance and reliability.

The Cisco 15310-CL is a versatile platform that primarily serves as a carrier-class router aimed at supporting high-speed data and voice services. It is built to handle the demands of large enterprises and service providers, offering a robust design that ensures maximum uptime and performance. One of its standout features is its modular architecture, which enables users to customize their configurations based on specific application needs. This scalability allows for future expansion without the need for a complete hardware overhaul.

Key technologies integrated into the Cisco 15310-CL include high-density Ethernet interfaces and a comprehensive suite of Layer 2 and Layer 3 protocol support. The device is capable of supporting multiple types of connections, including TDM, ATM, and Ethernet. This flexibility makes it an ideal choice for organizations that require seamless migration between various service types. Moreover, with features such as MPLS (Multiprotocol Label Switching) support and advanced Quality of Service (QoS) mechanisms, the router ensures that critical applications receive the necessary bandwidth and low latency required for optimal performance.

In contrast, the Cisco 15310-MA focuses on access solutions, providing a cost-effective entry point for businesses looking to enhance their network capabilities. It is well-suited for smaller offices or branch locations that need reliable connectivity without the expense and complexity associated with larger systems. The device supports a range of access methods and provides essential features like firewall capabilities, VPN support, and comprehensive security measures to protect sensitive data.

Both models benefit from Cisco's commitment to security and manageability, offering features like enhanced encryption protocols and user authentication mechanisms that help safeguard networks against threats. Additionally, they can be managed through Cisco’s intuitive software tools, simplifying configuration and monitoring tasks for IT administrators.

The Cisco 15310-CL and 15310-MA are ideal solutions for businesses seeking to enhance their network infrastructure, ensuring firms can keep pace with evolving technology demands while maintaining a focus on security and performance. Their combination of advanced features, modular capabilities, and robust support makes them valuable assets in the networking landscape.