Cisco Systems 15310-MA, 15310-CL manual Named IP ACLs, User Guidelines, 13-2

Page 164

Chapter 13 Configuring Access Control Lists on the ML-Series Card

ML-Series ACL Support

Access violations accounting is not supported on the ML-Series card.

ACL logging is supported only for packets going to the CPU, not for switched packets.

IP standard ACLs applied to bridged egress interfaces are not supported in the data-plane. When bridging, ACLs are only supported on ingress.

IP ACLs

The following ACL styles for IP are supported:

Standard IP ACLs: These use source addresses for matching operations.

Extended IP ACLs: (Control plane only) These use source and destination addresses for matching operations and optional protocol type and port numbers for finer granularity of control.

Named ACLs: These use source addresses for matching operations.

Note By default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. With standard ACLs, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.

After creating an ACL, you must apply it to an interface, as shown in the “Applying the ACL to an Interface” section on page 13-4.

Named IP ACLs

You can identify IP ACLs with a name, but it must be an alphanumeric string. Named IP ACLs allow you to configure more IP ACLs in a router than if you used numbered ACLs. If you identify your ACL with an alphabetic rather than a numeric string, the mode and command syntax are slightly different.

Consider the following before configuring named ACLs:

A standard ACL and an extended ACL cannot have the same name.

Numbered ACLs are also available, as described in the “Creating Numbered Standard and Extended IP ACLs” section on page 13-3.

User Guidelines

Keep the following in mind when you configure IP network access control:

You can program ACL entries into Ternary Content Addressable Memory (TCAM).

You do not have to enter a deny everything statement at the end of your ACL; it is implicit.

You can enter ACL entries in any order without any performance impact.

For every eight TCAM entries, the ML-Series card uses one entry for TCAM management purposes.

Do not set up conditions that result in packets getting lost. This situation can happen when a device or interface is configured to advertise services on a network that has ACLs that deny these packets.

IP ACLs are not supported for double-tagged (QinQ) packets. They will, however, be applied to IP packets entering on a QinQ access port.

Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5

13-2

78-18133-01

 

 

Image 164
Contents Americas Headquarters Text Part NumberCopyright 2007-2009 Cisco Systems, Inc. All rights reserved RPR Startup Configuration File Configuring POS Interface Framing Mode IiiUnderstanding VLANs Configuring Encapsulation over EtherChannel or POS Channel IP ACLs Role of Sonet Circuits ViiConfiguration Guidelines ViiiUsing Technical Support C-1 Page 11-3 11-411-5 11-714-13 14-1714-18 14-2210-5 10-611-11 11-1217-8 13-317-7 Preface Revision HistoryThis section provides the following information DateRelated Documentation Document ObjectivesAudience Document Conventions Convention ApplicationBoldface ItalicBewaar Deze Instructies Warnung Wichtige SicherheitshinweiseAvvertenza Importanti Istruzioni Sulla Sicurezza Aviso Instruções Importantes DE SegurançaPage GEM Disse Anvisninger Viii Cisco Optical Networking Product Documentation CD-ROM Where to Find Safety and Warning InformationObtaining Optical Networking Information Page Overview of the ML-Series Card ML-Series Card DescriptionML-Series Feature List IRBBundling the two POS ports LEX encapsulation only Key ML-Series Features Cisco IOSGFP-F Framing Cisco IOS Release 12.228SVLink Aggregation FEC and POS RmonTL1 CTC Operations on the ML-Series Card Displaying ML-Series POS Statistics in CTCML-Series POS Statistics Fields and Buttons RefreshML-Series Ethernet Statistics Fields and Buttons Displaying ML-Series Ethernet Statistics in CTCButton Description CTC Provisioning Sonet Circuits Displaying Sonet AlarmsDisplaying J1 Path Trace 78-18133-01 Page Cisco IOS on the ML-Series Card Initial Configuration of the ML-Series CardHardware Installation Opening a Cisco IOS Session Using CTC Telnetting to the Node IP Address and Slot NumberTelnetting to a Management Port CTC Node View Showing IP AddressConnecting a PC or Terminal to the Console Port ML-Series IOS CLI Console PortRJ-11 to RJ-45 Console Cable Adapter RJ-11 Pin RJ-45 PinStartup Configuration File Passwords Configuring the Management PortCommand Purpose Router enableConfiguring the Hostname NvramLoading a Cisco IOS Startup Configuration File Through CTC Click the IOS startup config buttonCisco IOS Command Modes Database Restore of the Startup Configuration FileMode What You Use It For How to Access Prompt Enter the configure terminalInterface fastethernet 0 for Enter the line consoleUsing the Command Modes Router# configure ?Exit Getting HelpPage MAC Addresses Configuring Interfaces on the ML-Series CardGeneral Interface Guidelines Interface Port ID MLSeries# show interfaces fastethernetMLSeriesconfig# interface fastethernet number Basic Interface ConfigurationMLSeries# configure terminal Basic Fast Ethernet and POS Interface Configuration Configuring the Fast Ethernet InterfacesConfiguring the POS Interfaces Monitoring Operations on the Fast Ethernet Interfaces HdlcExample 4-3 show controller Command Output FCRExample 4-4 show run interface Command Output Daytona# show run interface fastethernetAvailable Circuit Sizes and Combinations Configuring POS on the ML-Series CardUnderstanding POS on the ML-Series Card J1 Path Trace, and Sonet Alarms Lcas SupportCcat High Order Vcat High Order Mbps STS-1 STS-1-1v STS-1-2vConfiguring the POS Interface Encapsulations LEX default Cisco HdlcCRC Sizes Bit default None FCS disabled GFP-F Framing Hdlc FramingConfiguring POS Interface Framing Mode Framing mode changes on POS ports areAllowed only when the interface is shut down AdmindownSets the framing mode employed by the ONS Not a keyword choice in the command. The noForm of the command sets the framing mode GFP default-The ML-Series card supportsSonet Alarms Configuring Sonet AlarmsConfiguring Sonet Delay Triggers All -All alarms/signalsMonitoring and Verifying POS Hdlc Page These sections describe how the spanning-tree features work Configuring STP and Rstp on the ML-Series CardSTP Features Bridge Protocol Data Units STP OverviewSupported STP Instances Election of the Root Switch Bridge ID, Switch Priority, and Extended System ID Spanning-Tree TimersSwitch Priority Value BitCreating the Spanning-Tree Topology Spanning-Tree Interface StatesBlocking State Spanning-Tree Interface StatesDisabled State Listening StateLearning State Forwarding StateSpanning Tree and Redundant Connectivity Spanning-Tree Address ManagementSTP and Ieee 802.1Q Trunks Supported Rstp Instances Rstp FeaturesAccelerated Aging to Retain Connectivity Port State Comparison Port Roles and the Active TopologyIs Port Included Rapid Convergence Synchronization of Port Roles Proposal and Agreement Handshaking for Rapid ConvergenceRstp Bpdu Flags Bridge Protocol Data Unit Format and ProcessingBit Function Processing Inferior Bpdu Information Topology ChangesProcessing Superior Bpdu Information Configuring STP and Rstp Features Interoperability with Ieee 802.1D STPDisabling STP and Rstp Default STP and Rstp ConfigurationFeature Default Setting Port-channel-number Configuring the Root SwitchConfiguring the Port Priority Configuring the Path Cost Configuring the Switch Priority of a Bridge GroupConfiguring the Hello Time Verifying and Monitoring STP and Rstp Status Configuring the Forwarding-Delay Time for a Bridge GroupConfiguring the Maximum-Aging Time for a Bridge Group Commands for Displaying Spanning-Tree Status Example 6-1 show spanning-tree CommandsDisplays detailed STP or Rstp information Displays brief summary of STP or Rstp informationPage Configuring VLANs on the ML-Series Card Understanding VLANsConfiguring Ieee 802.1Q Vlan Encapsulation Ieee 802.1Q Vlan Configuration Returns to privileged Exec modeOptional Saves your configuration changes to MLSeriesconfig-subif# endBridging Ieee 802.1Q VLANs ML-Series#show vlans Example 7-2 Output for show vlans CommandMonitoring and Verifying Vlan Operation Page Understanding Ieee 802.1Q Tunneling Ieee 802.1Q Tunnel Ports in a Service-Provider Network FCS Configuring an Ieee 802.1Q Tunneling Port Configuring Ieee 802.1Q TunnelingIeee 802.1Q Tunneling and Compatibility with Other Features Untagged will be switched based on this bridge-group. Other Displays the tunnel ports on the switchOptional Saves your entries in the configuration file Ieee 802.1Q ExampleVLAN-Transparent Service Versus VLAN-Specific Services VLAN-Transparent Services VLAN-Specific ServicesExample 8-2 MLSeries B Configuration Example 8-3 ML-Series Card a Configuration Example 8-3applies to ML-Series card aExample 8-4 ML-Series Card B Configuration Example 8-5 ML-Series Card C ConfigurationExample 8-4applies to ML-Series card B Example 8-5applies to ML-Series card CConfiguring Layer 2 Protocol Tunneling Understanding Layer 2 Protocol TunnelingDefault Layer 2 Protocol Tunneling Configuration Layer 2 Protocol Tunneling Configuration Guidelines2shows the default Layer 2 protocol tunneling configuration Default Layer 2 Protocol Tunneling ConfigurationConfiguring Layer 2 Tunneling on a Port Configuring Layer 2 Tunneling Per-VLAN Monitoring and Verifying Tunneling StatusConfiguring Link Aggregation on the ML-Series Card Understanding Link AggregationConfiguring Link Aggregation Configuring Fast EtherChannelEtherChannel Configuration Example Cisco IOS Configuration Fundamentals Configuration GuideConfiguring POS Channel Configure one POS channel on the ML-Series cardCreates the POS channel interface. You can Assigns an IP address and subnet mask to the POSPOS Channel Configuration Example Configuring Encapsulation over EtherChannel or POS Channel Understanding Encapsulation over FEC or POS ChannelConfiguration mode and enable other Supported interface commands to meetExample 9-5 MLSeries a Configuration Encapsulation over EtherChannel ExampleExample 9-6 MLSeries B Configuration Monitoring and Verifying EtherChannel and POSLoad Balancing on the ML-Series cards For the FrameXOR Result Port Channel PortUsed Member Interface forFrame EtherChannelSecond FirstThird FourthUsed Member Configuring IRB on the ML-Series Card Cisco IOS Command Reference publicationUnderstanding Integrated Routing and Bridging This chapter includes the following major sectionsConfiguring IRB 10-2IRB Configuration Example 10-3Example 10-1 Configuring MLSeries a Example 10-2 Configuring MLSeries BMonitoring and Verifying IRB 10-410-5 Field Description 10-6Configuring Quality of Service on the ML-Series Card 11-1IP Precedence and Differentiated Services Code Point Understanding QoSPriority Mechanism in IP and Ethernet 11-2Ethernet CoS 11-311-4 ML-Series QoSClassification 11-5 PolicingMarking and Discarding with a Policer 11-6 QueuingScheduling Control Packets and L2 Tunneled Protocols 11-7Egress Priority Marking Ingress Priority MarkingQinQ Implementation 11-811-9 QoS on RPRFlow Control Pause and QoS 11-10 Configuring QoSCreating a Traffic Class Creating a Traffic Policy 11-11Syntax of the class command is Policy-map policy-nameno policy-map policy-nameClass class-map-name no class class-map-name Maximum of 40 alphanumeric characters11-13 Command 11-14Attaching a Traffic Policy to an Interface 11-15Monitoring and Verifying QoS Configuration Configuring CoS-Based QoSDisplays all configured traffic policies Traffic classQoS Configuration Examples 11-1711-18 Traffic Classes Defined ExampleTraffic Policy Created Example Example 11-6 Class Map Match All Command Example Example 11-7 Class Map Match Any Command ExampleExample 11-8 Class Map SPR Interface Command Example Match spr1 Interface ExampleExample 11-9 ML-Series VoIP Commands ML-Series VoIP ExampleML-Series Policing Example 11-20Example 11-10 ML-Series Policing Commands Routerconfig# class-map match-all policerRouterconfig# policy-map policef0 ML-Series CoS-Based QoS Example11-22 ML-Series CoS ExampleDefault Multicast QoS 11-2311-24 Configuring Multicast Priority Queuing QoSMulticast Priority Queuing QoS Restrictions 11-25 11-26 QoS not Configured on EgressML-Series Egress Bandwidth Example 11-27 BandwidthUnderstanding CoS-Based Packet Statistics Fast EthernetStatistics Collected Interface Subinterface Vlan 11-28Configuring CoS-Based Packet Statistics 11-29Understanding IP SLA 11-30MLSeries# show interface fastethernet 0 cos MLSeries# show interface pos0 cos11-31 IP SLA on the ML-SeriesIP SLA Restrictions on the ML-Series 11-32 12-1 Understanding the SDMUnderstanding SDM Regions Configuring SDM Configuring SDM RegionsDefault Size Lookup TypeConfiguring Access Control List Size in Tcam Task CommandMonitoring and Verifying SDM Entries12-4 Configuring Access Control Lists on ML-Series Card Understanding ACLsML-Series ACL Support 13-1IP ACLs Named IP ACLsUser Guidelines 13-213-3 Creating IP ACLsCreating Numbered Standard and Extended IP ACLs Creating Named Standard IP ACLs Creating Named Extended IP ACLs Control Plane OnlyApplying the ACL to an Interface 13-4Controls access to an interface Modifying ACL Tcam Size13-5 Applying ACL to Interface13-6 14-1 Configuring Resilient Packet Ring on ML-Series CardUnderstanding RPR 14-2 Role of Sonet CircuitsPacket Handling Operations Ring Wrapping 14-3RPR Framing Process 14-4DA-MAC and 0x00 for Unknown DA-MAC RPR as the source14-5 RPR Frame for ML-Series CardConfiguring RPR MAC Address and Vlan SupportRPR QoS CTM and RPR14-7 Configuring CTC Circuits for RPRCTC Circuit Configuration Example for RPR 14-8 Three-Node RPR Example14-9 Configures a station ID. The user must configure a Optional Sets the RPR ring wrap mode to either wrapImmediate delayed 14-10Assigning the ML-Series Card POS Ports to the SPR Interface 14-1114-12 14-13 RPR Cisco IOS Configuration Example Example 14-1 SPR Station-ID 1 ConfigurationExample 14-2 SPR Station-ID 2 Configuration 14-1414-15 CRC Threshold Configuration and DetectionExample 14-3 SPR Station-ID 3 Configuration Monitoring and Verifying RPR 14-16Example 14-4 Example of show interface spr 1 Output Example 14-5 Example of show run interface spr 1 OutputAdd an ML-Series Card into an RPR 14-1714-18 Three-Node RPR After the AdditionAdding an ML-Series Card into an RPR 14-19Cisco ONS 15454 Procedure Guide Enables the portEndpoint of the first newly created circuit 14-20Stop. You have completed this procedure Delete an ML-Series Card from an RPREndpoint of the second newly created circuit 14-2114-22 Three-Node RPR Before the DeletionDeleting an ML-Series Card from an RPR Log into Adjacent Node 1 with CTCDouble-click the ML-Series card in Adjacent Node 14-2314-24 Configuring Cisco Proprietary RPR KeepAlive Configuring Shortest Path and Topology DiscoveryCisco Proprietary RPR KeepAlive Cisco Proprietary RPR Shortest PathRedundant Interconnect Monitoring and Verifying Shortest Path andTopolgy DiscoveryRedundant Interconnect is only supported on 454 platforms 14-2615-1 Configuring Security for the ML-Series CardUnderstanding Security Secure Login on the ML-Series Card Disabling the Console Port on the ML-Series CardSecure Shell on the ML-Series Card Understanding SSHConfiguring SSH Configuration GuidelinesSetting Up the ML-Series Card to Run SSH This section has configuration informationConfiguring the SSH Server 15-4Displaying the SSH Configuration and Status Router # configure terminalRouter config# ip ssh version 1 Router config# ip ssh timeout15-6 Radius Relay ModeRadius on the ML-Series Card 15-7 Radius Stand Alone ModeConfiguring Radius Relay Mode 15-8 Configuring RadiusUnderstanding Radius 15-9 Default Radius ConfigurationIdentifying the Radius Server Host 15-10 Configuring AAA Login Authentication Router# configure terminal Enter global configuration modeRouter config# aaa new-model Enable AAA Switchconfig# radius-server host host115-12 Router config# aaa authenticationRouter config# line console tty Router config# end Return to privileged Exec mode Router# show running-config Verify your entriesDefining AAA Server Groups 15-13Router config# aaa group server Router config-sg-radius# serverRouter config-sg-radius# end Router # show running-configRadius 15-15Starting Radius Accounting 15-1615-17 Configuring a nas-ip-address in the Radius PacketConfiguring Settings for All Radius Servers Default is 0 the range is 1 to 1440 minutes Deadtime minutesMarked as dead, the skipping will not take place 15-18Send accounting authentication 15-19Displaying the Radius Configuration 15-2016-1 Configuring Bridging on the ML-Series CardUnderstanding Bridging Configuring Bridging 16-216-3 For any statically configured forwarding entriesMonitoring and Verifying Bridging Displays detailed information about spanning tree Bridge-group-number restricts the spanning tree informationTo specific bridge groups Brief displays summary information about spanning treeCE-100T-8 Ethernet Operation CE-100T-8 OverviewSonet 17-117-2 CE-100T-8 Ethernet FeaturesAutonegotiation, Flow Control, and Frame Buffering Ethernet Link Integrity Support 17-317-4 Enhanced State Model for Ethernet and Sonet PortsIeee 802.1Q CoS and IP ToS Queuing CoS Priority Queue Mappings 17-5IP ToS Priority Queue Mappings CE-100T-8 Sonet Circuits and Features Rmon and Snmp SupportStatistics and Counters 17-6Ccat High Order Vcat High Order Vcat Low Order Number of STS-3c Circuits Maximum Number of STS-1 CircuitsMaximum Number of STS-1-2v Circuits 17-7CE-100T-8 Maximum Service Densities CE-100T-8 STS/VT Allocation Tab7x=1-12 6x=1-14 5x=1-16 =1-21 17-8CE-100T-8 Vcat Characteristics 17-9CE-100T-8 POS Encapsulation, Framing, and CRC 17-10CE-100T-8 Loopback, J1 Path Trace, and Sonet Alarms 17-1117-12 Command Reference for the ML-Series Card Related Commands bridge-group Drpri-rstpIeee RstpRouter# clear counters Related Commands show interfaceClear counters Syntax Description Defaults Command Modes Usage Guidelines No clock autoClock summertime Clock timezoneDefaults Command Modes Interface sprMLSeriesconfig-if # pos mode gfp fcs-disable No pos mode gfp fcs-disabledRelated Commands shutdown No pos pdi holdoff time Pos trigger defects No pos report alarmRelated Commands Non pos trigger defects condition Syntax Description DefaultsRelated Commands pos trigger delay No pos trigger delay time Time Delay time in milliseconds, 200 toDefault value is 200 milliseconds Command is 50 millisecondsNo pos vcat defect immediate delayed DelayedParameter Description ImmediateShow controller pos interface-numberdetails MLSeries# show controller pos 0 Interface POS0Related Commands show interface pos Clear counters Show interface pos interface-number Use this command to display the status of the POS interfaceRelated Commands show controller pos Clear counters Show ons alarm MLSeries# show ons alarm78-18133-01 Vcg EqptSts Related Commands show controller pos Show ons alarm failures MLSeries# show ons alarm defect stsMLSeries# show ons alarm failure eqpt ML-Series#show ons alarm failure portMLSeries# show ons alarm failure sts Assigns the POS interface to the SPR interface Interface spr Spr station-id Spr wrapRelated Commands interface spr No spr load-balance auto port-basedAuto Port-basedConfigures a station ID DefaultsN/AFollowing example sets an ML-Series card SPR station ID to Spr-intf-id Spr wrapInterface spr Spr-intf-id Spr station-id Spr wrap immediate delayedWraps RPR traffic after the carrier delay time expires Unsupported Global Configuration Commands Unsupported CLI Commands for the ML-Series CardUnsupported Privileged Exec Commands Page Unsupported POS Interface Configuration Commands Unsupported FastEthernet Interface Configuration Commands Unsupported Port-Channel Interface Configuration Commands Unsupported BVI Interface Configuration Commands Rate-limit Random-detect Timeout Tx-ring-limitUsing Technical Support Gathering Information About Your InternetworkGetting the Data from Your ML-Series Card Providing Data to Your Technical Support Representative Page IN-5 IS,AINS IN-6IN-7 RPR Rstp SDMSSH CRCRstp STP IN-9IN-10 See also framingGFP-F Lcas IN-11IN-12 POSRPR SDM IN-13 IN-14 RmonRstp IN-15 SnmpSee also Bpdu IN-16 TcamVcat Configuring as Layer 2 tunnel Configuring Ieee 802.1Q Customer numbering in service-providerSDM STP and Rstp status VTP Layer 2 protocol tunneling VtyIN-18
Related manuals
Manual 8 pages 60.19 Kb Manual 352 pages 59.1 Kb

15310-CL, 15310-MA specifications

Cisco Systems has established itself as a leader in the networking domain, offering a wide array of solutions to meet the needs of modern businesses. Among its impressive product lineup are the Cisco 15310-CL and 15310-MA routers, designed to provide advanced network performance and reliability.

The Cisco 15310-CL is a versatile platform that primarily serves as a carrier-class router aimed at supporting high-speed data and voice services. It is built to handle the demands of large enterprises and service providers, offering a robust design that ensures maximum uptime and performance. One of its standout features is its modular architecture, which enables users to customize their configurations based on specific application needs. This scalability allows for future expansion without the need for a complete hardware overhaul.

Key technologies integrated into the Cisco 15310-CL include high-density Ethernet interfaces and a comprehensive suite of Layer 2 and Layer 3 protocol support. The device is capable of supporting multiple types of connections, including TDM, ATM, and Ethernet. This flexibility makes it an ideal choice for organizations that require seamless migration between various service types. Moreover, with features such as MPLS (Multiprotocol Label Switching) support and advanced Quality of Service (QoS) mechanisms, the router ensures that critical applications receive the necessary bandwidth and low latency required for optimal performance.

In contrast, the Cisco 15310-MA focuses on access solutions, providing a cost-effective entry point for businesses looking to enhance their network capabilities. It is well-suited for smaller offices or branch locations that need reliable connectivity without the expense and complexity associated with larger systems. The device supports a range of access methods and provides essential features like firewall capabilities, VPN support, and comprehensive security measures to protect sensitive data.

Both models benefit from Cisco's commitment to security and manageability, offering features like enhanced encryption protocols and user authentication mechanisms that help safeguard networks against threats. Additionally, they can be managed through Cisco’s intuitive software tools, simplifying configuration and monitoring tasks for IT administrators.

The Cisco 15310-CL and 15310-MA are ideal solutions for businesses seeking to enhance their network infrastructure, ensuring firms can keep pace with evolving technology demands while maintaining a focus on security and performance. Their combination of advanced features, modular capabilities, and robust support makes them valuable assets in the networking landscape.