Cisco Systems 15310-MA Creating Named Standard IP ACLs, Applying the ACL to an Interface, 13-4

Page 166

Chapter 13 Configuring Access Control Lists on the ML-Series Card

ML-Series ACL Support

Creating Named Standard IP ACLs

To create a named standard IP ACL, perform the following procedure, beginning in global configuration mode:

 

Command

Purpose

Step 1

 

 

ML_Series(config)# ip access-list

Defines a standard IP ACL using an alphabetic

 

standard name

name.

Step 2

 

 

ML_Series(config-std-nac1)# {deny

In access-list configuration mode, specifies one or

 

permit} {source [source-wildcard] any}

more conditions as permitted or denied. This

 

 

determines whether the packet is passed or dropped.

Step 3

 

 

ML_Series(config)# exit

Exits access-list configuration mode.

 

 

 

Creating Named Extended IP ACLs (Control Plane Only)

To create a named extended IP ACL, perform the following procedure, beginning in global configuration mode:

 

Command

Purpose

Step 1

 

 

ML_Series(config)# ip access-list extended

Defines an extended IP ACL using an alphabetic

 

name

name.

Step 2

 

 

ML_Series(config-ext-nacl)# {deny permit}

In access-list configuration mode, specifies the

 

protocol source source-wildcard destination

conditions allowed or denied.

 

destination-wildcard [precedence

 

 

precedence] [tos tos]

Or:

 

 

 

or

Defines an extended IP ACL using an abbreviation

 

 

for a source and source wildcard of 0.0.0.0

 

{deny permit} protocol any any

255.255.255.255, and an abbreviation for a

 

or

destination and destination wildcard of 0.0.0.0

 

255.255.255.255.

 

 

 

{deny permit} protocol host source host

Or:

 

destination

 

Defines an extended IP ACL using an abbreviation

 

 

 

 

for a source and source wildcard of source 0.0.0.0,

 

 

and an abbreviation for a destination and

 

 

destination wildcard of destination 0.0.0.0.

 

 

 

Applying the ACL to an Interface

After you create an ACL, you can apply it to one or more interfaces. ACLs can be applied on either the inbound or the outbound direction of an interface. When controlling access to an interface, you can use a name or number. If a standard ACL is applied, the ML-Series card compares the source IP address with the ACL. To apply an ACL to one or more interfaces, use the command in Table 13-2.

Note IP standard ACLs applied to the ingress of a Bridge Group Virtual Interface (BVI) will be applied to all bridged IP traffic in the associated bridge-group, in addition to the BVI ingress traffic.

Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5

13-4

78-18133-01

 

 

Image 166
Contents Americas Headquarters Text Part NumberCopyright 2007-2009 Cisco Systems, Inc. All rights reserved RPR Startup Configuration File Configuring POS Interface Framing Mode IiiUnderstanding VLANs Configuring Encapsulation over EtherChannel or POS Channel IP ACLs Role of Sonet Circuits ViiConfiguration Guidelines ViiiUsing Technical Support C-1 Page 11-5 11-311-4 11-714-18 14-1314-17 14-2211-11 10-510-6 11-1217-7 13-317-8 This section provides the following information PrefaceRevision History DateAudience Document ObjectivesRelated Documentation Boldface Document ConventionsConvention Application ItalicBewaar Deze Instructies Warnung Wichtige SicherheitshinweiseAvvertenza Importanti Istruzioni Sulla Sicurezza Aviso Instruções Importantes DE SegurançaPage GEM Disse Anvisninger Viii Obtaining Optical Networking Information Where to Find Safety and Warning InformationCisco Optical Networking Product Documentation CD-ROM Page Overview of the ML-Series Card ML-Series Card DescriptionML-Series Feature List IRBBundling the two POS ports LEX encapsulation only GFP-F Framing Key ML-Series FeaturesCisco IOS Cisco IOS Release 12.228SVLink Aggregation FEC and POS RmonTL1 ML-Series POS Statistics Fields and Buttons CTC Operations on the ML-Series CardDisplaying ML-Series POS Statistics in CTC RefreshButton Description Displaying ML-Series Ethernet Statistics in CTCML-Series Ethernet Statistics Fields and Buttons CTC Displaying J1 Path Trace Displaying Sonet AlarmsProvisioning Sonet Circuits 78-18133-01 Page Hardware Installation Initial Configuration of the ML-Series CardCisco IOS on the ML-Series Card Opening a Cisco IOS Session Using CTC Telnetting to the Node IP Address and Slot NumberTelnetting to a Management Port CTC Node View Showing IP AddressRJ-11 to RJ-45 Console Cable Adapter Connecting a PC or Terminal to the Console PortML-Series IOS CLI Console Port RJ-11 Pin RJ-45 PinStartup Configuration File Command Purpose PasswordsConfiguring the Management Port Router enableConfiguring the Hostname NvramLoading a Cisco IOS Startup Configuration File Through CTC Click the IOS startup config buttonCisco IOS Command Modes Database Restore of the Startup Configuration FileInterface fastethernet 0 for Mode What You Use It For How to Access PromptEnter the configure terminal Enter the line consoleExit Using the Command ModesRouter# configure ? Getting HelpPage General Interface Guidelines Configuring Interfaces on the ML-Series CardMAC Addresses Interface Port ID MLSeries# show interfaces fastethernetMLSeries# configure terminal Basic Interface ConfigurationMLSeriesconfig# interface fastethernet number Basic Fast Ethernet and POS Interface Configuration Configuring the Fast Ethernet InterfacesConfiguring the POS Interfaces Monitoring Operations on the Fast Ethernet Interfaces HdlcExample 4-3 show controller Command Output FCRExample 4-4 show run interface Command Output Daytona# show run interface fastethernetUnderstanding POS on the ML-Series Card Configuring POS on the ML-Series CardAvailable Circuit Sizes and Combinations Ccat High Order Vcat High Order J1 Path Trace, and Sonet AlarmsLcas Support Mbps STS-1 STS-1-1v STS-1-2vCRC Sizes Bit default None FCS disabled Configuring the POS InterfaceEncapsulations LEX default Cisco Hdlc GFP-F Framing Hdlc FramingAllowed only when the interface is shut down Configuring POS Interface Framing ModeFraming mode changes on POS ports are AdmindownForm of the command sets the framing mode Sets the framing mode employed by the ONSNot a keyword choice in the command. The no GFP default-The ML-Series card supportsSonet Alarms Configuring Sonet AlarmsConfiguring Sonet Delay Triggers All -All alarms/signalsMonitoring and Verifying POS Hdlc Page STP Features Configuring STP and Rstp on the ML-Series CardThese sections describe how the spanning-tree features work Supported STP Instances STP OverviewBridge Protocol Data Units Election of the Root Switch Switch Priority Value Bridge ID, Switch Priority, and Extended System IDSpanning-Tree Timers BitCreating the Spanning-Tree Topology Spanning-Tree Interface StatesBlocking State Spanning-Tree Interface StatesLearning State Disabled StateListening State Forwarding StateSTP and Ieee 802.1Q Trunks Spanning-Tree Address ManagementSpanning Tree and Redundant Connectivity Accelerated Aging to Retain Connectivity Rstp FeaturesSupported Rstp Instances Is Port Included Port Roles and the Active TopologyPort State Comparison Rapid Convergence Synchronization of Port Roles Proposal and Agreement Handshaking for Rapid ConvergenceBit Function Bridge Protocol Data Unit Format and ProcessingRstp Bpdu Flags Processing Superior Bpdu Information Topology ChangesProcessing Inferior Bpdu Information Configuring STP and Rstp Features Interoperability with Ieee 802.1D STPFeature Default Setting Default STP and Rstp ConfigurationDisabling STP and Rstp Configuring the Port Priority Configuring the Root SwitchPort-channel-number Configuring the Path Cost Configuring the Switch Priority of a Bridge GroupConfiguring the Hello Time Configuring the Maximum-Aging Time for a Bridge Group Configuring the Forwarding-Delay Time for a Bridge GroupVerifying and Monitoring STP and Rstp Status Displays detailed STP or Rstp information Commands for Displaying Spanning-Tree StatusExample 6-1 show spanning-tree Commands Displays brief summary of STP or Rstp informationPage Configuring VLANs on the ML-Series Card Understanding VLANsConfiguring Ieee 802.1Q Vlan Encapsulation Optional Saves your configuration changes to Ieee 802.1Q Vlan ConfigurationReturns to privileged Exec mode MLSeriesconfig-subif# endBridging Ieee 802.1Q VLANs Monitoring and Verifying Vlan Operation Example 7-2 Output for show vlans CommandML-Series#show vlans Page Understanding Ieee 802.1Q Tunneling Ieee 802.1Q Tunnel Ports in a Service-Provider Network FCS Ieee 802.1Q Tunneling and Compatibility with Other Features Configuring Ieee 802.1Q TunnelingConfiguring an Ieee 802.1Q Tunneling Port Optional Saves your entries in the configuration file Untagged will be switched based on this bridge-group. OtherDisplays the tunnel ports on the switch Ieee 802.1Q ExampleExample 8-2 MLSeries B Configuration VLAN-Transparent Services VLAN-Specific ServicesVLAN-Transparent Service Versus VLAN-Specific Services Example 8-3 ML-Series Card a Configuration Example 8-3applies to ML-Series card aExample 8-4applies to ML-Series card B Example 8-4 ML-Series Card B ConfigurationExample 8-5 ML-Series Card C Configuration Example 8-5applies to ML-Series card CConfiguring Layer 2 Protocol Tunneling Understanding Layer 2 Protocol Tunneling2shows the default Layer 2 protocol tunneling configuration Default Layer 2 Protocol Tunneling ConfigurationLayer 2 Protocol Tunneling Configuration Guidelines Default Layer 2 Protocol Tunneling ConfigurationConfiguring Layer 2 Tunneling on a Port Configuring Layer 2 Tunneling Per-VLAN Monitoring and Verifying Tunneling StatusConfiguring Link Aggregation on the ML-Series Card Understanding Link AggregationConfiguring Link Aggregation Configuring Fast EtherChannelEtherChannel Configuration Example Cisco IOS Configuration Fundamentals Configuration GuideCreates the POS channel interface. You can Configuring POS ChannelConfigure one POS channel on the ML-Series card Assigns an IP address and subnet mask to the POSPOS Channel Configuration Example Configuring Encapsulation over EtherChannel or POS Channel Understanding Encapsulation over FEC or POS ChannelExample 9-5 MLSeries a Configuration Configuration mode and enable otherSupported interface commands to meet Encapsulation over EtherChannel ExampleExample 9-6 MLSeries B Configuration Monitoring and Verifying EtherChannel and POSXOR Result Port Channel Load Balancing on the ML-Series cardsFor the Frame PortFrame Used MemberInterface for EtherChannelThird SecondFirst FourthUsed Member Understanding Integrated Routing and Bridging Configuring IRB on the ML-Series CardCisco IOS Command Reference publication This chapter includes the following major sectionsConfiguring IRB 10-2IRB Configuration Example 10-3Monitoring and Verifying IRB Example 10-1 Configuring MLSeries aExample 10-2 Configuring MLSeries B 10-410-5 Field Description 10-6Configuring Quality of Service on the ML-Series Card 11-1Priority Mechanism in IP and Ethernet IP Precedence and Differentiated Services Code PointUnderstanding QoS 11-2Ethernet CoS 11-3Classification ML-Series QoS11-4 Marking and Discarding with a Policer Policing11-5 Scheduling Queuing11-6 Control Packets and L2 Tunneled Protocols 11-7QinQ Implementation Egress Priority MarkingIngress Priority Marking 11-8Flow Control Pause and QoS QoS on RPR11-9 Creating a Traffic Class Configuring QoS11-10 Creating a Traffic Policy 11-11Class class-map-name no class class-map-name Syntax of the class command isPolicy-map policy-nameno policy-map policy-name Maximum of 40 alphanumeric characters11-13 Command 11-14Attaching a Traffic Policy to an Interface 11-15Displays all configured traffic policies Monitoring and Verifying QoS ConfigurationConfiguring CoS-Based QoS Traffic classQoS Configuration Examples 11-17Traffic Policy Created Example Traffic Classes Defined Example11-18 Example 11-8 Class Map SPR Interface Command Example Example 11-6 Class Map Match All Command ExampleExample 11-7 Class Map Match Any Command Example Match spr1 Interface ExampleML-Series Policing Example Example 11-9 ML-Series VoIP CommandsML-Series VoIP Example 11-20Routerconfig# policy-map policef0 Example 11-10 ML-Series Policing CommandsRouterconfig# class-map match-all policer ML-Series CoS-Based QoS Example11-22 ML-Series CoS ExampleDefault Multicast QoS 11-23Multicast Priority Queuing QoS Restrictions Configuring Multicast Priority Queuing QoS11-24 11-25 ML-Series Egress Bandwidth Example QoS not Configured on Egress11-26 11-27 BandwidthStatistics Collected Interface Subinterface Vlan Understanding CoS-Based Packet StatisticsFast Ethernet 11-28Configuring CoS-Based Packet Statistics 11-29MLSeries# show interface fastethernet 0 cos Understanding IP SLA11-30 MLSeries# show interface pos0 cosIP SLA Restrictions on the ML-Series IP SLA on the ML-Series11-31 11-32 Understanding SDM Regions Understanding the SDM12-1 Default Size Configuring SDMConfiguring SDM Regions Lookup TypeMonitoring and Verifying SDM Configuring Access Control List Size in TcamTask Command Entries12-4 ML-Series ACL Support Configuring Access Control Lists on ML-Series CardUnderstanding ACLs 13-1User Guidelines IP ACLsNamed IP ACLs 13-2Creating Numbered Standard and Extended IP ACLs Creating IP ACLs13-3 Applying the ACL to an Interface Creating Named Standard IP ACLsCreating Named Extended IP ACLs Control Plane Only 13-413-5 Controls access to an interfaceModifying ACL Tcam Size Applying ACL to Interface13-6 Understanding RPR Configuring Resilient Packet Ring on ML-Series Card14-1 Packet Handling Operations Role of Sonet Circuits14-2 Ring Wrapping 14-3RPR Framing Process 14-414-5 DA-MAC and 0x00 for Unknown DA-MACRPR as the source RPR Frame for ML-Series CardRPR QoS Configuring RPRMAC Address and Vlan Support CTM and RPRCTC Circuit Configuration Example for RPR Configuring CTC Circuits for RPR14-7 14-8 Three-Node RPR Example14-9 Immediate delayed Configures a station ID. The user must configure aOptional Sets the RPR ring wrap mode to either wrap 14-10Assigning the ML-Series Card POS Ports to the SPR Interface 14-1114-12 14-13 Example 14-2 SPR Station-ID 2 Configuration RPR Cisco IOS Configuration ExampleExample 14-1 SPR Station-ID 1 Configuration 14-14Example 14-3 SPR Station-ID 3 Configuration CRC Threshold Configuration and Detection14-15 Example 14-4 Example of show interface spr 1 Output Monitoring and Verifying RPR14-16 Example 14-5 Example of show run interface spr 1 OutputAdd an ML-Series Card into an RPR 14-1714-18 Three-Node RPR After the AdditionAdding an ML-Series Card into an RPR 14-19Endpoint of the first newly created circuit Cisco ONS 15454 Procedure GuideEnables the port 14-20Endpoint of the second newly created circuit Stop. You have completed this procedureDelete an ML-Series Card from an RPR 14-2114-22 Three-Node RPR Before the DeletionDouble-click the ML-Series card in Adjacent Node Deleting an ML-Series Card from an RPRLog into Adjacent Node 1 with CTC 14-2314-24 Cisco Proprietary RPR KeepAlive Configuring Cisco Proprietary RPR KeepAliveConfiguring Shortest Path and Topology Discovery Cisco Proprietary RPR Shortest PathRedundant Interconnect is only supported on 454 platforms Redundant InterconnectMonitoring and Verifying Shortest Path andTopolgy Discovery 14-26Understanding Security Configuring Security for the ML-Series Card15-1 Secure Shell on the ML-Series Card Secure Login on the ML-Series CardDisabling the Console Port on the ML-Series Card Understanding SSHSetting Up the ML-Series Card to Run SSH Configuring SSHConfiguration Guidelines This section has configuration informationConfiguring the SSH Server 15-4Router config# ip ssh version 1 Displaying the SSH Configuration and StatusRouter # configure terminal Router config# ip ssh timeoutRadius on the ML-Series Card Radius Relay Mode15-6 Configuring Radius Relay Mode Radius Stand Alone Mode15-7 Understanding Radius Configuring Radius15-8 Identifying the Radius Server Host Default Radius Configuration15-9 15-10 Router config# aaa new-model Enable AAA Configuring AAA Login AuthenticationRouter# configure terminal Enter global configuration mode Switchconfig# radius-server host host1Router config# line console tty Router config# aaa authentication15-12 Defining AAA Server Groups Router config# end Return to privileged Exec modeRouter# show running-config Verify your entries 15-13Router config-sg-radius# end Router config# aaa group serverRouter config-sg-radius# server Router # show running-configRadius 15-15Starting Radius Accounting 15-16Configuring Settings for All Radius Servers Configuring a nas-ip-address in the Radius Packet15-17 Marked as dead, the skipping will not take place Default is 0 the range is 1 to 1440 minutesDeadtime minutes 15-18Send accounting authentication 15-19Displaying the Radius Configuration 15-20Understanding Bridging Configuring Bridging on the ML-Series Card16-1 Configuring Bridging 16-2Monitoring and Verifying Bridging For any statically configured forwarding entries16-3 To specific bridge groups Displays detailed information about spanning treeBridge-group-number restricts the spanning tree information Brief displays summary information about spanning treeSonet CE-100T-8 Ethernet OperationCE-100T-8 Overview 17-1Autonegotiation, Flow Control, and Frame Buffering CE-100T-8 Ethernet Features17-2 Ethernet Link Integrity Support 17-3Ieee 802.1Q CoS and IP ToS Queuing Enhanced State Model for Ethernet and Sonet Ports17-4 IP ToS Priority Queue Mappings 17-5CoS Priority Queue Mappings Statistics and Counters CE-100T-8 Sonet Circuits and FeaturesRmon and Snmp Support 17-6Maximum Number of STS-1-2v Circuits Ccat High Order Vcat High Order Vcat Low OrderNumber of STS-3c Circuits Maximum Number of STS-1 Circuits 17-77x=1-12 6x=1-14 5x=1-16 =1-21 CE-100T-8 Maximum Service DensitiesCE-100T-8 STS/VT Allocation Tab 17-8CE-100T-8 Vcat Characteristics 17-9CE-100T-8 POS Encapsulation, Framing, and CRC 17-10CE-100T-8 Loopback, J1 Path Trace, and Sonet Alarms 17-1117-12 Command Reference for the ML-Series Card Ieee Related Commands bridge-groupDrpri-rstp RstpClear counters Related Commands show interfaceRouter# clear counters Clock summertime Syntax Description Defaults Command Modes Usage GuidelinesNo clock auto Clock timezoneDefaults Command Modes Interface sprRelated Commands shutdown No pos mode gfp fcs-disabledMLSeriesconfig-if # pos mode gfp fcs-disable No pos pdi holdoff time Related Commands No pos report alarmPos trigger defects Related Commands pos trigger delay Syntax Description DefaultsNon pos trigger defects condition Default value is 200 milliseconds No pos trigger delay timeTime Delay time in milliseconds, 200 to Command is 50 millisecondsParameter Description No pos vcat defect immediate delayedDelayed ImmediateShow controller pos interface-numberdetails MLSeries# show controller pos 0 Interface POS0Related Commands show interface pos Clear counters Related Commands show controller pos Clear counters Use this command to display the status of the POS interfaceShow interface pos interface-number Show ons alarm MLSeries# show ons alarm78-18133-01 Sts EqptVcg Related Commands show controller pos Show ons alarm failures MLSeries# show ons alarm defect stsMLSeries# show ons alarm failure eqpt ML-Series#show ons alarm failure portMLSeries# show ons alarm failure sts Assigns the POS interface to the SPR interface Interface spr Spr station-id Spr wrapAuto Related Commands interface sprNo spr load-balance auto port-based Port-basedFollowing example sets an ML-Series card SPR station ID to Configures a station IDDefaultsN/A Spr-intf-id Spr wrapWraps RPR traffic after the carrier delay time expires Spr wrap immediate delayedInterface spr Spr-intf-id Spr station-id Unsupported Privileged Exec Commands Unsupported CLI Commands for the ML-Series CardUnsupported Global Configuration Commands Page Unsupported POS Interface Configuration Commands Unsupported FastEthernet Interface Configuration Commands Unsupported Port-Channel Interface Configuration Commands Unsupported BVI Interface Configuration Commands Rate-limit Random-detect Timeout Tx-ring-limitUsing Technical Support Gathering Information About Your InternetworkGetting the Data from Your ML-Series Card Providing Data to Your Technical Support Representative Page IN-5 IS,AINS IN-6IN-7 SSH RPRRstp SDM CRCRstp STP IN-9GFP-F See also framingIN-10 Lcas IN-11RPR SDM POSIN-12 IN-13 Rstp RmonIN-14 See also Bpdu SnmpIN-15 Vcat TcamIN-16 SDM STP and Rstp status Configuring as Layer 2 tunnel Configuring Ieee 802.1QCustomer numbering in service-provider VTP Layer 2 protocol tunneling VtyIN-18
Related manuals
Manual 8 pages 60.19 Kb Manual 352 pages 59.1 Kb

15310-CL, 15310-MA specifications

Cisco Systems has established itself as a leader in the networking domain, offering a wide array of solutions to meet the needs of modern businesses. Among its impressive product lineup are the Cisco 15310-CL and 15310-MA routers, designed to provide advanced network performance and reliability.

The Cisco 15310-CL is a versatile platform that primarily serves as a carrier-class router aimed at supporting high-speed data and voice services. It is built to handle the demands of large enterprises and service providers, offering a robust design that ensures maximum uptime and performance. One of its standout features is its modular architecture, which enables users to customize their configurations based on specific application needs. This scalability allows for future expansion without the need for a complete hardware overhaul.

Key technologies integrated into the Cisco 15310-CL include high-density Ethernet interfaces and a comprehensive suite of Layer 2 and Layer 3 protocol support. The device is capable of supporting multiple types of connections, including TDM, ATM, and Ethernet. This flexibility makes it an ideal choice for organizations that require seamless migration between various service types. Moreover, with features such as MPLS (Multiprotocol Label Switching) support and advanced Quality of Service (QoS) mechanisms, the router ensures that critical applications receive the necessary bandwidth and low latency required for optimal performance.

In contrast, the Cisco 15310-MA focuses on access solutions, providing a cost-effective entry point for businesses looking to enhance their network capabilities. It is well-suited for smaller offices or branch locations that need reliable connectivity without the expense and complexity associated with larger systems. The device supports a range of access methods and provides essential features like firewall capabilities, VPN support, and comprehensive security measures to protect sensitive data.

Both models benefit from Cisco's commitment to security and manageability, offering features like enhanced encryption protocols and user authentication mechanisms that help safeguard networks against threats. Additionally, they can be managed through Cisco’s intuitive software tools, simplifying configuration and monitoring tasks for IT administrators.

The Cisco 15310-CL and 15310-MA are ideal solutions for businesses seeking to enhance their network infrastructure, ensuring firms can keep pace with evolving technology demands while maintaining a focus on security and performance. Their combination of advanced features, modular capabilities, and robust support makes them valuable assets in the networking landscape.