Manuals / Blade ICE / Computer Equipment / Computer Accessories

Blade ICE G8000 manual Using ACL Filters, MAC Extended ACLs

Models: G8000

1 145

Download 145 pages 21.85 Kb

Page 95

Using ACL Filters

RackSwitch G8000 Application Guide

Using ACL Filters

Access Control Lists are filters that allow you to classify data packets according to a particular content in the packet header, such as the source address, destination address, source port num- ber, destination port number, and others. Packet classifiers identify flows for more processing. Each filter defines the conditions that must match for inclusion in the filter, and also the actions that are performed when a match is made.

ACLs are used to control whether packets are forwarded or blocked at the switch ports. ACLs can provide basic security for access to the network. For example, you can use an ACL to per- mit one host to access a part of the network, and deny another host access to the same area.

Each ACL contains rules that define the matching criteria for data packets. The ACL checks each packet against its rules, to determine if there is a match. If the packet matches the ACL’s rules, the ACL performs its configured action: either permit or deny the packet.

The G8000 supports the following ACL types:

MAC Extended ACLs

IP Standard ACLs

IP Extended ACLs

MAC Extended ACLs

The switch supports up to 127 MAC extended ACLs, numbered from 1-65535. Use MAC Extended ACLs to filter traffic using the following criteria:

Source/destination MAC address

VLAN

Ethernet protocol

User priority criteria

To create a MAC Extended ACL:

RS G8000 (config)# access-list mac extended 1

RS G8000 (config-ext-macl)#

To delete a MAC Extended ACL:

RS G8000 (config)# no access-list mac extended 1

RS G8000 (config)#

BMD00041, November 2008

Chapter 6: Quality of Service 95

Image 95

Blade ICE G8000 manual Using ACL Filters, MAC Extended ACLs

Contents

Part Number BMD00041, November RackSwitch G8000Application Guide VersionRackSwitch G8000 Application Guide Preface ContentsChapter 1 Accessing the Switch Chapter 2 Port-based Network Access ControlChapter 5 Spanning Tree Chapter 4 Ports and TrunkingChapter 7 Remote Monitoring Chapter 6 Quality of ServiceChapter 10 High Availability Appendix A TroubleshootingChapter 8 Basic IP Routing Chapter 9 IGMPFigures BMD00041, November RackSwitch G8000 Application GuideTables BMD00041, November RackSwitch G8000 Application GuideWho Should Use This Guide PrefaceWhat You’ll Find in This Guide Table 1 Typographic Conventions Typographic ConventionsRackSwitch G8000 Application Guide SymbolHow to Get Help „ “Using the Browser-Based Interface” on page „ “Using SNMP” on page Accessing the SwitchCHAPTER „ “Configuring an IP Interface” on page „ “Using Telnet” on pageCommand Reference Configuring an IP Interface1. Log on to the switch 2. Enter IP interface mode 4. Configure the default gateway. Enable the gatewayUsing Telnet Configuring BBI access via HTTPS Using the Browser-Based InterfaceConfiguring BBI access via HTTP The BBI is organized at a high level as follows SNMP Using SNMPDefault configuration SNMP v1User configuration 22 „ Chapter 1 Accessing the Switch RackSwitch G8000 Application GuideRS G8000 config# snmp-server group 5 user-name admin RS G8000 config# snmp-server group 5 group-name admingrp1. Configure an entry in the notify table Configuring SNMP Trap HostsSNMPv2 trap host configuration SNMPv1 trap hostSNMPv3 trap host configuration „ “End User Access Control” on page Securing Access to the Switch„ “RADIUS Authentication and Authorization” on page „ “TACACS+ Authentication” on pageHow RADIUS authentication works RADIUS Authentication and Authorization2. Configure the RADIUS secret and enable the feature Configuring RADIUSRADIUS authentication features in Blade OS Vendor-supplied Switch User AccountsRADIUS Attributes for G8000 user privileges Vendor-suppliedHow TACACS+ authentication works TACACS+ AuthenticationRS G8000 config# tacacs-server privilege-mapping TACACS+ authentication features in Blade OSAuthorization RS G8000 config# tacacs-server command-authorization Command authorization and loggingAccounting 4. Configure the number of retry attempts, and the timeout period Configuring TACACS+ AuthenticationRS G8000 config# tacacs-server command-logging 2. Configure the TACACS+ secret and second secretSSH encryption of management messages Configuring SSH features on the switchSecure Shell RS G8000 config# ssh generate-server-key Generating RSA Host and Server Keys for SSH accessSSH Integration with RADIUS/TACACS+ Authentication RS G8000 config# ssh generate-host-keySetting up User IDs End User Access ControlConsiderations for configuring End User Accounts User Access ControlEnabling or Disabling a User Defining a User’s access levelListing current Users Logging into an End User accountBMD00041, November RackSwitch G8000 Application Guide38 „ Chapter 1 Accessing the Switch „ “Configuration guidelines” on page Port-based Network Access Control„ “Extensible Authentication Protocol over LAN” on page „ “802.1X authentication process” on pageExtensible Authentication Protocol over LAN Port Authorized 802.1X authentication processPort Unauthorized EAPoL message exchange „ Force Unauthorized 802.1X port states„ Unauthorized „ AuthorizedTable 2 Support for RADIUS Attributes Supported RADIUS attributesRackSwitch G8000 Application Guide 44 „ Chapter 2 Port-based Network Access ControlConfiguration guidelines BMD00041, November RackSwitch G8000 Application Guide46 „ Chapter 2 Port-based Network Access Control „ “VLAN Topologies and Design Considerations” on page VLANsCHAPTER „ “VLANs and Port VLAN ID Numbers” on page „ “VLAN Tagging” on pageOverview Viewing VLANs VLANs and Port VLAN ID NumbersVLAN numbers PVID numbers Viewing and Configuring PVIDsVLAN Tagging BS45010A Figure 3-1 Default VLAN settingsBefore Figure 3-2 Port-based VLAN assignmentFigure 3-3 802.1Q tagging after port-based VLAN assignment 16 bits Figure 3-4 802.1Q tag assignmentFigure 3-5 802.1Q tagging after 802.1Q tag assignment untagged packetVLAN Topologies and Design Considerations VLAN configuration rulesDescription Multiple VLANs with Tagging AdaptersComponent Description Component3. Configure the VLANs and their member ports VLAN configuration example1. Enable VLAN tagging on server ports that support multiple VLANs 2. Enable tagging on uplink ports that support multiple VLANsPrivate VLAN ports Private VLANs1. Select a VLAN and define the Private VLAN type as primary Configuration exampleConfiguration guidelines enable 2. Configure a secondary VLAN and map it to the primary VLAN3. Verify the configuration RackSwitch G8000 Application GuideBMD00041, November RackSwitch G8000 Application Guide62 „ Chapter 3 VLANs „ ““Overview” on page 64” „ “Port Trunking Example” on page Ports and Trunking„ “Configurable Trunk Hash Algorithm” on page CHAPTEROverview Built-In fault toleranceStatistical load distribution Static trunk group configuration rules Before you configure static trunks„ All trunk members must be in the same Spanning Tree Group STG and can belong to only one Spanning Tree Group STG. However if all ports are tagged, then all trunk ports can belong to multiple STGs 1. Follow these steps on the G8000 Port Trunking ExampleTrunk 3 Ports 2, 23, and Trunk 1 Ports 1, 7, andRS G8000 config# portchannel 1 member 1,7,32 2. Repeat the process on the other switch3. Connect the switch ports that will be members in the trunk group 4. Examine the trunking information on each switchConfigurable Trunk Hash Algorithm Admin key Link Aggregation Control ProtocolEach port on the switch can have one of the following LACP modes 3. Set the LACP mode LACP configuration guidelinesConfiguring LACP „ “Per VLAN Rapid Spanning Tree” on page Spanning TreeCHAPTER „ “Overview” on page „ “Rapid Spanning Tree Protocol” on pageTable 5-1 Ports, Trunk Groups, and VLANs OverviewBridge Priority Bridge Protocol Data Units BPDUsDetermining the Path for Forwarding BPDUs Port Path Cost Spanning Tree Group configuration guidelinesChanging the Spanning Tree mode Port PriorityAssigning a VLAN to a Spanning Tree Group Adding and removing ports from STGs Creating a VLANRules for VLAN Tagged ports Chapter 5 Spanning Tree „ RackSwitch G8000 Application GuideBMD00041, November Port state changes Rapid Spanning Tree ProtocolLink Type RSTP configuration guidelinesPort Type and Link Type Edge Port2. Set the Spanning Tree mode to Rapid Spanning Tree RSTP configuration exampleConfigure Rapid Spanning Tree 1. Configure port and VLAN membership on the switchPer VLAN Rapid Spanning Tree Default Spanning Tree configurationFigure 5-2 Two VLANs, each on a different Spanning Tree Group Why do we need multiple Spanning Trees?Figure 5-1 Two VLANs on one Spanning Tree Group 1. Set the Spanning-tree mode to PVRST+ PVRST configuration guidelinesConfiguring PVRST Common Internal Spanning Tree Multiple Spanning Tree ProtocolMSTP Region MSTP configuration guidelines Blocking VLAN Passing VLANBlocking VLAN RackSwitch G8000 Application Guide2. Configure Multiple Spanning Tree Protocol Configuring Multiple Spanning Tree Groupsmember RackSwitch G8000 Application Guideenable memberFast Uplink Convergence Configuration GuidelinesConfiguring Fast Uplink Convergence BMD00041, November RackSwitch G8000 Application Guide92 „ Chapter 5 Spanning Tree „ “Using DSCP Values to Provide QoS” on page Quality of Service„ “Overview” on page „ “Using ACL Filters” on page „ “Using Storm Control Filters” on pageOverview Permit/DenyFilter COS QueueMAC Extended ACLs Using ACL FiltersIP Extended ACLs IP Standard ACLsTable 6-1 Well-known protocol types RackSwitch G8000 Application GuideRS G8000 config# access-list ip extended RS G8000 config# no access-list ip extendedACL IP Extended Understanding ACL priorityAssigning ACLs to a port Port 1 access group ACL IP ExtendedViewing ACL statistics 3. Verify the configuration ACL configuration examplesExample 1. Configure an Access Control List2. Assign the ACL to port Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses port 10 with source IP from the class 100.10.1.0/24 and destination IP 200.20.2.2 is denied1. Configure an Access Control List Exampleconfig# ip access-list ip extended 1. Configure an Access Control List1. Configure an Access Control List RackSwitch G8000 Application GuideExample 2. Configure IP ACLs to deny all other traffic4. Configure a MAC ACL to deny all other traffic ip access-group 1103 in RackSwitch G8000 Application GuideRS G8000 config# interface port RS G8000 config-if#Broadcast storms Using Storm Control FiltersConfiguring storm control 7 6 5 4 Using DSCP Values to Provide QoSDifferentiated Services Concepts The switch can perform the following actions to the DSCP Per Hop Behavior Service Level QoS LevelsDefault QoS Service Levels RackSwitch G8000 Application GuideDSCP-to-802.1p mapping Figure 6-3 Layer 2 802.1q/802.1p VLAN tagged packet Using 802.1p Priority to Provide QoS1. Configure a port’s default 802.1p priority value to 802.1p configuration exampleQueuing and Scheduling CHAPTER Remote MonitoringOverview 2. Configure the RMON statistics on a port Configuring RMON statisticsRMON group 1-Statistics 1. Enable RMON on a portRS G8000# show rmon history RMON group 2-HistoryHistory MIB Object ID 2. Configure the RMON History parameters for a port RMON group 3-AlarmsConfiguring RMON History 1. Enable RMON on a portExample Alarm MIB objectsConfiguring RMON Alarms 1. Configure the RMON event parameters Configure RMON eventsRMON group 9-Events 1. Configure the RMON Alarm parameters to track ICMP messages„ “IP Routing Benefits” on page Basic IP Routing„ “Dynamic Host Configuration Protocol” on page CHAPTERIP Routing Benefits Figure 8-1 The Router Legacy Network Routing Between IP Subnets„ Traffic to the router increases, increasing congestion Figure 8-2 Switch-Based Routing Topology Example of Subnet RoutingTable 8-1 Subnet Routing Example IP Address Assignments Using VLANs to segregate Broadcast DomainsConfiguration example 2. Assign an IP interface for each subnet attached to the switchenable 4. Add the switch ports to their respective VLANsRackSwitch G8000 Application Guide enable5. Assign a VLAN to each IP interface 6. Configure the default gateway to the routers’ addresses7. Enable IP routing 8. Verify the configurationDynamic Host Configuration Protocol BMD00041, November RackSwitch G8000 Application Guide128 „ Chapter 8 Basic IP Routing „ “Static Multicast Router” on page IGMPCHAPTER „ “IGMP Snooping” on page „ “IGMPv3 Snooping” on pageRS G8000 config# no ip igmp flood IGMP SnoopingRS G8000 config# ip igmp fastleave VLAN number FastLeaveIGMPv3 Snooping RS G8000 config# ip igmp snoop igmpv3 sources IGMP Snooping configuration exampleConfigure IGMP Snooping RS G8000 config# no ip igmp snoop igmpv3 excludeRS G8000# show ip igmp mrouter RackSwitch G8000 Application Guide5. View dynamic IGMP information RS G8000# show ip igmp groups2. Verify the configuration Configure a Static Multicast RouterStatic Multicast Router BMD00041, November High AvailabilityCHAPTER „ “Uplink Failure Detection” on pageFigure 10-1 Uplink Failure Detection example Uplink Failure Detection„ Link to Monitor LtM Failure Detection PairSpanning Tree Protocol with UFD Configuration guidelines2. Assign the Link to Monitor LtM ports Configuring UFDMonitoring UFD 1. Configure Network Adapter Teaming on the serversBMD00041, November TroubleshootingAPPENDIX A „ “Monitoring Ports” on pageFigure A-1 Monitoring Ports Monitoring Ports3. View the current configuration Configuring Port MirroringPort Mirroring behavior 2. Enable port mirroringBMD00041, November RackSwitch G8000 Application Guide142 „ Appendix A Troubleshooting Numerics SymbolsIndex