Nortel Networks 5520, 5530, 5510 manual 12.3.1 ERS5500 Configuration

Page 51

Filters and QoS Configuration for ERS 5500

 

 

Technical Configuration Guide

v2.0

NN48500-559

12.3Configuration Example – IP ACL, DHCP Snooping, ARP Inspection, BPDU Filtering, and Source Guard

Figure 4: IP ACL, DHCP Snooping, ARP Inspection, and Source Guard

Overall, we wish to accomplish the following in regards to VLAN 110:

Only allow ICMP and DHCP traffic to the DHCP server (172.30.30.50) and deny all other traffic to the 172.x.x.x network

For the 10.x.x.x network, only allow access to the local network (10.62.32.0/24) and to the 10.10.30/0/24 network for full access to the internet

Enable DHCP Snooping, ARP-Inspection, and

In regards to VLAN 220, we wish to accomplish the following:

Allow full access to the core network 172.0.0.0/8 and 10.0.0.0/8

Only allow only ICMP, HTTP and HTTPS traffic to the internet

12.3.1 ERS5500 Configuration

12.3.1.1Create VLAN’s and Add Port Members ERS5500: Step 1 – Add VLANs 110, 220, and 700

5500(config)#vlan create 700 name core type port 5500(config)#vlan create 110 type port 5500(config)#vlan create 220 type port 5500(config)#vlan members remove 1 3-6,8-10,23 5500(config)#vlan ports 23 tagging tagall 5500(config)#vlan members 110 3-6 5500(config)#vlan members 220 8-10 5500(config)#vlan members 700 23

12.3.1.2 Add IP Address and Enable OSPF

ERS5500: Step 1 – Add IP address to VLAN 110 and enable OSPF with interface type of passive

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.

 

External Distribution

50

Page 50 Page 52
Image 51
Page 50 Page 52
Contents Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Tables List of FiguresText Document UpdatesSymbols ConventionsOverview Ethernet Routing Switch 5500 QoS and Filtering ƒ Layer 2 Classifier Elements ClassificationUntrusted Ports Unrestricted PortsStatistics Actions SupportedQoS Flow Chart Filter Functionality Overall Classification FunctionalityClassifier Block Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Port Range FunctionalityPolicies Default Policy Drop ActionNN48500-559 5520-24T-PWRconfig#qos agent buffer large maximum regular 5520-24T-PWRconfig#default qos agent bufferQueue Sets Egress CoS Queuing Ethernet Routing Switch 5500 Egress CoS QueuingCoS 5520-24T-PWRconfig#qos agent queue set 5520-24T-PWRconfig#show qos queue-set-assignment5520-24T-PWRconfig#default qos agent queue-set 5520-24T-PWRconfig#qos agent reset-defaultEgress Queue Recommendations Bucket Size Traffic Meter and ShapingParameter Description Actual Bucket SizePolicing Traffic Actual Bucket Size in Bytes Actual size in bytes InterfaceExample Interface Shaper Meter Bucket Size and DurationBucket Size Max burst rate Committed rate Duration MSec 5530-24TFDconfig#show qos if-shaper port Hex Decimal Default Nortel Class of ServiceDefault Nortel CoS Markings BinaryConfig#qos ip-acl name 1..16 character string ? QoS Access Lists ACLACL Configuration IP-ACL ConfigurationConfig#qos l2-acl name 1..16 character string ? 2 L2-ACL ConfigurationACL-Assign Configuration ACL Configuration ExampleVerification 5530H-24TFD#show qos acl-assign5530H-24TFD#show qos ip-acl 5530H-24TFD#show qos policy Changing ACL 5500config#no qos acl-assign5500config#no qos acl-assign 1 port 1/19 5500config#no qos ip-aclDhcp Snooping IP Security FeaturesDhcp Snooping Configuration Dynamic ARP Inspection ConfigurationIP Source Guard IP Source Guard ConfigurationBpdu Filtering Bpdu Filtering ConfigurationQoS Interface Applications QoS Applications Number of Classifiers Used FeatureARP Spoofing Configuration ExampleDhcp Snooping Dhcp Attacks10.3 DoS Bpdu Blocking ERS5500-48T#show qos if-group Configuration Steps Policy ConfigurationRole Combination ERS5500-48T#show qos if-assignIP Element ERS5500-48Tconfig#qos ip-element 1-64000?Classification Adding IP and L2 ElementAdding a Classifier Block Adding a ClassifierParameters and variables Description MetersAdd a New Policy Configuration Examples Pre-defined ValuesQoS Action Configure the IP elements Configuration Example 1 Traffic Meter Using Policies12.2.1 ERS5500 Configuration Using Policies Configure the Interface Role CombinationConfigure Meters Configure the Classifier BlockERS5500 Create the classifier block Verify the Role Combination Configure the PolicyVerify Operations ERS5500 Create the policyName m1 Verify Classifier and Classifier Block ConfigurationERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard 12.3.1 ERS5500 ConfigurationERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 Verify DHCP-Snooping ERS5500 Assign the IP-ACL’s to portsVID Verify ARP InspectionVerify IP Source Guard Verify ACL ConfigurationNN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign TCP Port Range Configuration Example 3 Port Range Using ACL or PolicyConfiguration Using Policies Configure the PoliciesERS5500 Create IP elements for UDP port range ERS5500 Remark all other traffic to Bronze Configuration Using IP-ACL’sCreate Policy 12.5.1 ERS5500 Configuration Using Policies12.5.2 ERS5500 Configuration Using IP-ACL’s ERS5500 Pass all other traffic with standard CoSERS5500 Assign the L2-ACL’s to ports 12.6.1 ERS5500 Configuration Using Policies Configuration Example 5 L2 and L3 ClassificationERS5500 Add L2 elements for Vlan 110 Configure Classifier and Classifier BlocksDscp Mapping via Un-restricted Port Role 12.7.1 ERS5500 ConfigurationPolicy Configuration ACL ConfigurationID ID View the Queue AssignmentsConfiguration Example 7 Interface Shaping Enable Shaping on PortVerify Shape Rate Configuration Reference Documentation Software BaselineContact us
Top Page Image Contents