Configure IP ACLs to deny all other traffic | Blade ICE G8000

RackSwitch G8000 Application Guide

Example 5

Use this configuration to block all traffic except traffic of certain types. HTTP/HTTPS, DHCP, and ARP packets are permitted on the port. All other traffic is denied.

1.Configure one IP ACL for each type of traffic that you want to permit.

RS G8000 (config)# access-list ip extended 1103

RS G8000 (config-ext-nacl)# permit tcp any any eq 80

RS G8000 (config-ext-nacl)# exit

RS G8000 (config)# access-list ip extended 1104

RS G8000 (config-ext-nacl)# permit tcp any any eq 443

RS G8000 (config-ext-nacl)# exit

RS G8000 (config)# access-list ip extended 1105

RS G8000(config-ext-nacl)# permit udp any any eq 67

RS G8000(config-ext-nacl)# exit

RS G8000 (config)# access-list ip extended 1106

RS G8000 (config-ext-nacl)# permit udp any any eq 68

RS G8000 (config-ext-nacl)# exit

2.Configure IP ACLs to deny all other traffic.

RS G8000 (config)# access-list ip extended 1007

RS G8000 (config-ext-nacl)# deny tcp any any

RS G8000 (config-ext-nacl)# exit

RS G8000 (config)# access-list ip extended 1008

RS G8000 (config-ext-nacl)# deny udp any any

RS G8000 (config-ext-nacl)# exit

The ACLs that allow traffic must have a higher index number, and therefore higher priority, than the ACL that denies all traffic.

3.Configure one MAC ACL for each type of traffic that you want to permit (ARP).

RS G8000 (config)# access-list mac extended 200

RS G8000 (config-ext-macl)# permit any any 806

RS G8000 (config-ext-macl)# exit

4.Configure a MAC ACL to deny all other traffic.

RS G8000 (config)# access-list mac extended 10

RS G8000 (config-ext-macl)# deny any any

RS G8000 (config-ext-macl)# exit

BMD00041, November 2008

Chapter 6: Quality of Service 103

Image 103

Blade ICE G8000 manual Configure IP ACLs to deny all other traffic, Configure a MAC ACL to deny all other traffic

Contents

Application Guide RackSwitch G8000 Application Guide Contents Ports and Trunking Quality of Service Appendix a Troubleshooting Figures RackSwitch G8000 Application Guide Tables RackSwitch G8000 Application Guide Who Should Use This Guide Preface What You’ll Find in This Guide Typographic Conventions Typographic Conventions How to Get Help Accessing the Switch Log on to the switch Enter IP interface mode Configuring an IP InterfaceConfigure the default gateway. Enable the gateway Using Telnet Configuring BBI access via Http Using the Browser-Based InterfaceConfiguring BBI access via Https RS G8000 config# access https import-certificate Snmp Using SnmpDefault configuration Snmp v1 Privacy-password User configuration 22 „ Accessing the Switch SNMPv1 trap host Configuring Snmp Trap HostsSNMPv2 trap host configuration Configure an entry in the notify table SNMPv3 trap host configuration Securing Access to the Switch How Radius authentication works Radius Authentication and Authorization Configure the Radius secret and enable the feature Configuring Radius Radius authentication features in Blade OS Radius Attributes for G8000 user privileges Switch User Accounts How TACACS+ authentication works TACACS+ Authentication Authorization TACACS+ authentication features in Blade OS Accounting Command authorization and logging Configure the TACACS+ secret and second secret Configuring TACACS+ Authentication Secure Shell Configuring SSH features on the switchSSH encryption of management messages SSH Integration with RADIUS/TACACS+ Authentication Generating RSA Host and Server Keys for SSH access Considerations for configuring End User Accounts End User Access ControlUser Access Control Logging into an End User account Listing current Users RackSwitch G8000 Application Guide 38 „ Accessing the Switch Port-based Network Access Control Extensible Authentication Protocol over LAN Port Unauthorized 802.1X authentication process EAPoL message exchange „ Force Unauthorized 802.1X port states„ Unauthorized „ Authorized Support for Radius Attributes Supported Radius attributes Configuration guidelines BMD00041, November VLANs Overview Vlan numbers VLANs and Port Vlan ID NumbersViewing VLANs Pvid numbers Viewing and Configuring PVIDs Vlan Tagging 1Default Vlan settings 2Port-based Vlan assignment 4802.1Q tag assignment Vlan Topologies and Design Considerations Vlan configuration rules Component Description Multiple VLANs with Tagging Adapters Vlan Enable tagging on uplink ports that support multiple VLANs Vlan configuration exampleConfigure the VLANs and their member ports Private Vlan ports Private VLANs Select a Vlan and define the Private Vlan type as primary Configuration example Verify the configuration Configure a secondary Vlan and map it to the primary Vlan RackSwitch G8000 Application Guide 62 „ VLANs Ports and Trunking Statistical load distribution Built-In fault tolerance Static trunk group configuration rules Before you configure static trunks 66 „ Ports and Trunking Follow these steps on the G8000 Port Trunking Example Examine the trunking information on each switch Repeat the process on the other switch „ Source IP SIP + Destination IP DIP Configurable Trunk Hash Algorithm Link Aggregation Control Protocol Admin key RS G8000 # show lacp information Configuring Lacp Lacp configuration guidelinesSet the Lacp mode Spanning Tree 1Ports, Trunk Groups, and VLANs Determining the Path for Forwarding BPDUs Bridge Protocol Data Units BPDUs Changing the Spanning Tree mode Spanning Tree Group configuration guidelines Assigning a Vlan to a Spanning Tree Group Rules for Vlan Tagged ports Creating a VlanAdding and removing ports from STGs RackSwitch G8000 Application Guide Port state changes Rapid Spanning Tree Protocol Link Type Rstp configuration guidelinesPort Type and Link Type Edge Port Configure Rapid Spanning Tree Rstp configuration example Per Vlan Rapid Spanning Tree Default Spanning Tree configuration 1Two VLANs on one Spanning Tree Group Why do we need multiple Spanning Trees? Configuring Pvrst Pvrst configuration guidelinesSet the Spanning-tree mode to PVRST+ Mstp Region Multiple Spanning Tree ProtocolCommon Internal Spanning Tree Mstp configuration guidelines Passing Vlan Blocking Vlan Configure Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Groups 90 „ Spanning Tree Fast Uplink Convergence Configuring Fast Uplink Convergence RackSwitch G8000 Application Guide 92 „ Spanning Tree Quality of Service COS MAC Extended ACLs Using ACL Filters IP Extended ACLs IP Standard ACLs 1Well-known protocol types Assigning ACLs to a port Understanding ACL priority Viewing ACL statistics Use the following command to view ACL statistics Assign the ACL to port ACL configuration examplesConfigure an Access Control List Example 100.10.1.0 Add the ACL to a port Add the ACL to port Configure a MAC ACL to deny all other traffic Configure IP ACLs to deny all other traffic Assign the ACLs to a port Configuring storm control Using Storm Control FiltersBroadcast storms Differentiated Services Concepts Using Dscp Values to Provide QoS RackSwitch G8000 Application Guide Drop Class Precedence Per Hop Behavior QoS Levels Default QoS Service Levels DSCP-to-802.1p mapping Use the following command to perform DSCP-to-802.1p mapping 3Layer 2 802.1q/802.1p Vlan tagged packet Using 802.1p Priority to Provide QoS Configure a port’s default 802.1p priority value to 802.1p configuration exampleQueuing and Scheduling Overview Remote Monitoring Rmon group 1-Statistics Configuring Rmon statisticsEnable Rmon on a port Configure the Rmon statistics on a port History MIB Object ID Rmon group 2-History View Rmon History for the port Rmon group 3-AlarmsConfiguring Rmon History Configure the Rmon History parameters for a port Configuring Rmon Alarms Alarm MIB objects Rmon group 9-Events Configure Rmon eventsConfigure the Rmon Alarm parameters to track Icmp messages Configure the Rmon event parameters Basic IP Routing IP Routing Benefits 1The Router Legacy Network Routing Between IP Subnets 122 „ Basic IP Routing Example of Subnet Routing 2Switch-Based Routing Topology 1Subnet Routing Example IP Address Assignments Using VLANs to segregate Broadcast Domains 3Subnet Routing Example Optional Vlan Ports Add the switch ports to their respective VLANs Enable IP routing Configure the default gateway to the routers’ addressesAssign a Vlan to each IP interface Dynamic Host Configuration Protocol RackSwitch G8000 Application Guide 128 „ Basic IP Routing Igmp Igmp Snooping IGMPv3 Snooping FastLeave Add VLANs to Igmp Snooping Igmp Snooping configuration exampleConfigure Igmp Snooping Enable IGMPv3 Snooping optional RS G8000# show ip igmp groups View dynamic Igmp information Static Multicast Router Configure a Static Multicast Router High Availability 1Uplink Failure Detection example Uplink Failure Detection Failure Detection Pair Spanning Tree Protocol with UFD Configuration guidelines Monitoring UFD Configuring UFDTurn on Uplink Failure Detection UFD Troubleshooting Figure A-1Monitoring Ports Monitoring Ports Port Mirroring behavior Configuring Port MirroringEnable port mirroring View the current configuration BMD00041, November Numerics Index Igmp TACACS+