Nortel Networks 5520 2 L2-ACL Configuration, ACL-Assign Configuration, ACL Configuration Example

Page 27

Filters and QoS Configuration for ERS 5500

 

 

Technical Configuration Guide

v2.0

NN48500-559

7.1.2 L2-ACL Configuration

L2 ACL’s are added using the following command:

5500 (config)#qos l2-acl name <1..16 character string> ?

block

drop-action dst-mac dst-mac-mask ethertype priority set-drop-prec src-mac src-mac-mask update-1p update-dscp vlan-min vlan-tag <cr>

Specify the label to identify access-list elements that are of the same block

Specify the drop action

Specify the destination MAC classifier criteria Specify the destination MAC mask classifier criteria Specify the ethertype classifier criteria

Specify the user priority classifier criteria Specify the set drop precedence

Specify the source MAC classifier criteria Specify the source MAC mask classifier criteria Specify the update user priority

Specify the update DSCP

Specify the Vlan ID minimum value classifier criteria Specify the vlan tag classifier criteria

7.1.3 ACL-Assign Configuration

Once you have completed the ACL configuration, the ACL name is then assigned at a port level using the following command:

5500 (config)#qos acl-assign port <port # or port #’s> acl-type <ipl2> name <acl name>

7.1.4 ACL Configuration Example

7.1.4.1Configuration

Assuming we wish to configure the following:

remark host 172.1.1.10 ftp traffic to CoS class of Silver

remark host 172.1.1.10 http traffic to CoS class of Gold

apply the ACL to port 1/19

To accomplish the above, please enter the following commands:

5500 (config)#qos ip-acl name host src-ip 172.1.1.10/32 protocol 6 src-port-min 21 src-port-max 21 update-dscp 18 block tcpcommon

5500 (config)#qos ip-acl name host src-ip 172.1.1.10/32 protocol 6 src-port-min 80 src-port-max 80 update-dscp 26 block tcpcommon

5500 (config)#qos ip-acl name host drop-action disable

5500 (config)#qos acl-assign port 1/19 acl-type ip name host

Please note the following:

The first two IP-ACL’s are assigned to a block named tcpcommand. Since we are only allowed up to eight precedence levels, it is a good idea to use block configuration whenever possible.

The third IP-ACL is required to match all other traffic. As the default implicit action is drop all non-matching traffic, if this command is not entered, only ftp and http traffic from host 172.1.1.10 would be allowed.

Protocol 6 refer to TCP traffic

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.

 

External Distribution

26

Page 26 Page 28
Image 27
Page 26 Page 28
Contents Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Tables List of FiguresText Document UpdatesSymbols ConventionsOverview Ethernet Routing Switch 5500 QoS and Filtering ƒ Layer 2 Classifier Elements ClassificationUntrusted Ports Unrestricted PortsStatistics Actions SupportedQoS Flow Chart Filter Functionality Overall Classification FunctionalityClassifier Block Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Port Range FunctionalityPolicies Default Policy Drop ActionNN48500-559 5520-24T-PWRconfig#qos agent buffer large maximum regular 5520-24T-PWRconfig#default qos agent bufferQueue Sets Egress CoS Queuing Ethernet Routing Switch 5500 Egress CoS QueuingCoS 5520-24T-PWRconfig#qos agent queue set 5520-24T-PWRconfig#show qos queue-set-assignment5520-24T-PWRconfig#default qos agent queue-set 5520-24T-PWRconfig#qos agent reset-defaultEgress Queue Recommendations Bucket Size Traffic Meter and ShapingParameter Description Actual Bucket SizePolicing Traffic Actual Bucket Size in Bytes Actual size in bytes InterfaceExample Interface Shaper Meter Bucket Size and DurationBucket Size Max burst rate Committed rate Duration MSec 5530-24TFDconfig#show qos if-shaper port Hex Decimal Default Nortel Class of ServiceDefault Nortel CoS Markings BinaryConfig#qos ip-acl name 1..16 character string ? QoS Access Lists ACLACL Configuration IP-ACL ConfigurationConfig#qos l2-acl name 1..16 character string ? 2 L2-ACL ConfigurationACL-Assign Configuration ACL Configuration ExampleVerification 5530H-24TFD#show qos acl-assign5530H-24TFD#show qos ip-acl 5530H-24TFD#show qos policy Changing ACL 5500config#no qos acl-assign5500config#no qos acl-assign 1 port 1/19 5500config#no qos ip-aclDhcp Snooping IP Security FeaturesDhcp Snooping Configuration Dynamic ARP Inspection ConfigurationIP Source Guard IP Source Guard ConfigurationBpdu Filtering Bpdu Filtering ConfigurationQoS Interface Applications QoS Applications Number of Classifiers Used FeatureARP Spoofing Configuration ExampleDhcp Snooping Dhcp Attacks10.3 DoS Bpdu Blocking ERS5500-48T#show qos if-group Configuration Steps Policy ConfigurationRole Combination ERS5500-48T#show qos if-assignIP Element ERS5500-48Tconfig#qos ip-element 1-64000?Classification Adding IP and L2 ElementAdding a Classifier Block Adding a ClassifierParameters and variables Description MetersAdd a New Policy Configuration Examples Pre-defined ValuesQoS Action Configure the IP elements Configuration Example 1 Traffic Meter Using Policies12.2.1 ERS5500 Configuration Using Policies Configure the Interface Role CombinationConfigure Meters Configure the Classifier BlockERS5500 Create the classifier block Verify the Role Combination Configure the PolicyVerify Operations ERS5500 Create the policyName m1 Verify Classifier and Classifier Block ConfigurationERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard 12.3.1 ERS5500 ConfigurationERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 Verify DHCP-Snooping ERS5500 Assign the IP-ACL’s to portsVID Verify ARP InspectionVerify IP Source Guard Verify ACL ConfigurationNN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign TCP Port Range Configuration Example 3 Port Range Using ACL or PolicyConfiguration Using Policies Configure the PoliciesERS5500 Create IP elements for UDP port range ERS5500 Remark all other traffic to Bronze Configuration Using IP-ACL’sCreate Policy 12.5.1 ERS5500 Configuration Using Policies12.5.2 ERS5500 Configuration Using IP-ACL’s ERS5500 Pass all other traffic with standard CoSERS5500 Assign the L2-ACL’s to ports 12.6.1 ERS5500 Configuration Using Policies Configuration Example 5 L2 and L3 ClassificationERS5500 Add L2 elements for Vlan 110 Configure Classifier and Classifier BlocksDscp Mapping via Un-restricted Port Role 12.7.1 ERS5500 ConfigurationPolicy Configuration ACL ConfigurationID ID View the Queue AssignmentsConfiguration Example 7 Interface Shaping Enable Shaping on PortVerify Shape Rate Configuration Reference Documentation Software BaselineContact us
Top Page Image Contents