IP Standard ACLs, IP Extended ACLs | Blade ICE G8000 instruction

RackSwitch G8000 Application Guide

IP Standard ACLs

The switch supports up to 127 IP ACLs (standard and extended). IP Standard ACLs are num- bered from 1-1000. Use IP Standard ACLs to filter traffic using source IP address/network mask and destination IP address/network/mask.

To create an IP Standard ACL:

RS G8000 (config)# access-list ip standard 1

RS G8000 (config-std-nacl)#

To delete an IP Standard ACL:

RS G8000 (config)# no access-list ip standard 1

RS G8000 (config)#

IP Extended ACLs

The switch supports up to 127 IP ACLs (standard and extended). IP Extended ACLs are num- bered from 1001-65535. Use IP Extended ACLs to filter traffic using the following criteria:

Source IP address/network mask

Destination IP address/network mask

IP protocol number or name as shown in Table 6-1

TCP/UDP application ports, as shown in Table 6-2 on page 97

TCP flags

ICMP message code and type

Type of Service (TOS) value

DSCP value

96 Chapter 6: Quality of Service

BMD00041, November 2008

Image 96

Blade ICE G8000 manual IP Standard ACLs, IP Extended ACLs

Contents

Application Guide RackSwitch G8000 Application Guide Contents Ports and Trunking Quality of Service Appendix a Troubleshooting Figures RackSwitch G8000 Application Guide Tables RackSwitch G8000 Application Guide Preface Who Should Use This Guide What You’ll Find in This Guide Typographic Conventions Typographic Conventions How to Get Help Accessing the Switch Configuring an IP Interface Log on to the switch Enter IP interface modeConfigure the default gateway. Enable the gateway Using Telnet Using the Browser-Based Interface Configuring BBI access via HttpConfiguring BBI access via Https RS G8000 config# access https import-certificate Using Snmp Default configurationSnmp v1 Snmp User configuration Privacy-password 22 „ Accessing the Switch Configuring Snmp Trap Hosts SNMPv2 trap host configurationConfigure an entry in the notify table SNMPv1 trap host SNMPv3 trap host configuration Securing Access to the Switch Radius Authentication and Authorization How Radius authentication works Configuring Radius Configure the Radius secret and enable the feature Radius authentication features in Blade OS Switch User Accounts Radius Attributes for G8000 user privileges TACACS+ Authentication How TACACS+ authentication works TACACS+ authentication features in Blade OS Authorization Command authorization and logging Accounting Configuring TACACS+ Authentication Configure the TACACS+ secret and second secret Configuring SSH features on the switch Secure ShellSSH encryption of management messages Generating RSA Host and Server Keys for SSH access SSH Integration with RADIUS/TACACS+ Authentication End User Access Control Considerations for configuring End User AccountsUser Access Control Listing current Users Logging into an End User account RackSwitch G8000 Application Guide 38 „ Accessing the Switch Port-based Network Access Control Extensible Authentication Protocol over LAN 802.1X authentication process Port Unauthorized EAPoL message exchange 802.1X port states „ Unauthorized„ Authorized „ Force Unauthorized Supported Radius attributes Support for Radius Attributes Configuration guidelines BMD00041, November VLANs Overview VLANs and Port Vlan ID Numbers Vlan numbersViewing VLANs Viewing and Configuring PVIDs Pvid numbers Vlan Tagging 1Default Vlan settings 2Port-based Vlan assignment 4802.1Q tag assignment Vlan configuration rules Vlan Topologies and Design Considerations Multiple VLANs with Tagging Adapters Component Description Vlan Vlan configuration example Enable tagging on uplink ports that support multiple VLANsConfigure the VLANs and their member ports Private VLANs Private Vlan ports Configuration example Select a Vlan and define the Private Vlan type as primary Configure a secondary Vlan and map it to the primary Vlan Verify the configuration RackSwitch G8000 Application Guide 62 „ VLANs Ports and Trunking Built-In fault tolerance Statistical load distribution Before you configure static trunks Static trunk group configuration rules 66 „ Ports and Trunking Port Trunking Example Follow these steps on the G8000 Repeat the process on the other switch Examine the trunking information on each switch Configurable Trunk Hash Algorithm „ Source IP SIP + Destination IP DIP Admin key Link Aggregation Control Protocol RS G8000 # show lacp information Lacp configuration guidelines Configuring LacpSet the Lacp mode Spanning Tree 1Ports, Trunk Groups, and VLANs Bridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUs Spanning Tree Group configuration guidelines Changing the Spanning Tree mode Assigning a Vlan to a Spanning Tree Group Creating a Vlan Rules for Vlan Tagged portsAdding and removing ports from STGs RackSwitch G8000 Application Guide Rapid Spanning Tree Protocol Port state changes Rstp configuration guidelines Port Type and Link TypeEdge Port Link Type Rstp configuration example Configure Rapid Spanning Tree Default Spanning Tree configuration Per Vlan Rapid Spanning Tree Why do we need multiple Spanning Trees? 1Two VLANs on one Spanning Tree Group Pvrst configuration guidelines Configuring PvrstSet the Spanning-tree mode to PVRST+ Multiple Spanning Tree Protocol Mstp RegionCommon Internal Spanning Tree Mstp configuration guidelines Passing Vlan Blocking Vlan Configuring Multiple Spanning Tree Groups Configure Multiple Spanning Tree Protocol 90 „ Spanning Tree Configuring Fast Uplink Convergence Fast Uplink Convergence RackSwitch G8000 Application Guide 92 „ Spanning Tree Quality of Service COS Using ACL Filters MAC Extended ACLs IP Standard ACLs IP Extended ACLs 1Well-known protocol types Understanding ACL priority Assigning ACLs to a port Use the following command to view ACL statistics Viewing ACL statistics ACL configuration examples Configure an Access Control ListExample Assign the ACL to port 100.10.1.0 Add the ACL to port Add the ACL to a port Configure IP ACLs to deny all other traffic Configure a MAC ACL to deny all other traffic Assign the ACLs to a port Using Storm Control Filters Configuring storm controlBroadcast storms Using Dscp Values to Provide QoS Differentiated Services Concepts RackSwitch G8000 Application Guide Per Hop Behavior Drop Class Precedence Default QoS Service Levels QoS Levels Use the following command to perform DSCP-to-802.1p mapping DSCP-to-802.1p mapping Using 802.1p Priority to Provide QoS 3Layer 2 802.1q/802.1p Vlan tagged packet 802.1p configuration example Configure a port’s default 802.1p priority value toQueuing and Scheduling Remote Monitoring Overview Configuring Rmon statistics Enable Rmon on a portConfigure the Rmon statistics on a port Rmon group 1-Statistics Rmon group 2-History History MIB Object ID Rmon group 3-Alarms Configuring Rmon HistoryConfigure the Rmon History parameters for a port View Rmon History for the port Alarm MIB objects Configuring Rmon Alarms Configure Rmon events Configure the Rmon Alarm parameters to track Icmp messagesConfigure the Rmon event parameters Rmon group 9-Events Basic IP Routing IP Routing Benefits Routing Between IP Subnets 1The Router Legacy Network 122 „ Basic IP Routing 2Switch-Based Routing Topology Example of Subnet Routing Using VLANs to segregate Broadcast Domains 1Subnet Routing Example IP Address Assignments Add the switch ports to their respective VLANs 3Subnet Routing Example Optional Vlan Ports Configure the default gateway to the routers’ addresses Enable IP routingAssign a Vlan to each IP interface Dynamic Host Configuration Protocol RackSwitch G8000 Application Guide 128 „ Basic IP Routing Igmp Igmp Snooping FastLeave IGMPv3 Snooping Igmp Snooping configuration example Configure Igmp SnoopingEnable IGMPv3 Snooping optional Add VLANs to Igmp Snooping View dynamic Igmp information RS G8000# show ip igmp groups Configure a Static Multicast Router Static Multicast Router High Availability Uplink Failure Detection 1Uplink Failure Detection example Spanning Tree Protocol with UFD Configuration guidelines Failure Detection Pair Configuring UFD Monitoring UFDTurn on Uplink Failure Detection UFD Troubleshooting Monitoring Ports Figure A-1Monitoring Ports Configuring Port Mirroring Enable port mirroringView the current configuration Port Mirroring behavior BMD00041, November Index Numerics Igmp TACACS+