Manuals / Blade ICE / Computer Equipment / Computer Accessories

Blade ICE G8000 manual IP Standard ACLs, IP Extended ACLs

Models: G8000

1 145

Download 145 pages 21.85 Kb

Page 96

Image 96

RackSwitch G8000 Application Guide

IP Standard ACLs

The switch supports up to 127 IP ACLs (standard and extended). IP Standard ACLs are num- bered from 1-1000. Use IP Standard ACLs to filter traffic using source IP address/network mask and destination IP address/network/mask.

To create an IP Standard ACL:

RS G8000 (config)# access-list ip standard 1

RS G8000 (config-std-nacl)#

To delete an IP Standard ACL:

RS G8000 (config)# no access-list ip standard 1

RS G8000 (config)#

IP Extended ACLs

The switch supports up to 127 IP ACLs (standard and extended). IP Extended ACLs are num- bered from 1001-65535. Use IP Extended ACLs to filter traffic using the following criteria:

Source IP address/network mask

Destination IP address/network mask

IP protocol number or name as shown in Table 6-1

TCP/UDP application ports, as shown in Table 6-2 on page 97

TCP flags

ICMP message code and type

Type of Service (TOS) value

DSCP value

96 Chapter 6: Quality of Service

BMD00041, November 2008

Page 96

Image 96

Blade ICE G8000 manual IP Standard ACLs, IP Extended ACLs

Contents

RackSwitch G8000 Application GuideVersion Part Number BMD00041, NovemberRackSwitch G8000 Application Guide Contents Chapter 1 Accessing the SwitchChapter 2 Port-based Network Access Control PrefaceChapter 4 Ports and Trunking Chapter 5 Spanning TreeChapter 6 Quality of Service Chapter 7 Remote MonitoringAppendix A Troubleshooting Chapter 8 Basic IP RoutingChapter 9 IGMP Chapter 10 High AvailabilityFigures RackSwitch G8000 Application Guide BMD00041, NovemberTables RackSwitch G8000 Application Guide BMD00041, NovemberPreface Who Should Use This GuideWhat You’ll Find in This Guide Typographic Conventions RackSwitch G8000 Application GuideSymbol Table 1 Typographic ConventionsHow to Get Help Accessing the Switch CHAPTER„ “Configuring an IP Interface” on page „ “Using Telnet” on page „ “Using the Browser-Based Interface” on page „ “Using SNMP” on pageConfiguring an IP Interface 1. Log on to the switch 2. Enter IP interface mode4. Configure the default gateway. Enable the gateway Command ReferenceUsing Telnet Using the Browser-Based Interface Configuring BBI access via HTTPConfiguring BBI access via HTTPS The BBI is organized at a high level as follows Using SNMP Default configurationSNMP v1 SNMPUser configuration RackSwitch G8000 Application Guide RS G8000 config# snmp-server group 5 user-name adminRS G8000 config# snmp-server group 5 group-name admingrp 22 „ Chapter 1 Accessing the SwitchConfiguring SNMP Trap Hosts SNMPv2 trap host configurationSNMPv1 trap host 1. Configure an entry in the notify tableSNMPv3 trap host configuration Securing Access to the Switch „ “RADIUS Authentication and Authorization” on page„ “TACACS+ Authentication” on page „ “End User Access Control” on pageRADIUS Authentication and Authorization How RADIUS authentication worksConfiguring RADIUS 2. Configure the RADIUS secret and enable the featureRADIUS authentication features in Blade OS Switch User Accounts RADIUS Attributes for G8000 user privilegesVendor-supplied Vendor-suppliedTACACS+ Authentication How TACACS+ authentication worksTACACS+ authentication features in Blade OS AuthorizationRS G8000 config# tacacs-server privilege-mapping Command authorization and logging AccountingRS G8000 config# tacacs-server command-authorization Configuring TACACS+ Authentication RS G8000 config# tacacs-server command-logging2. Configure the TACACS+ secret and second secret 4. Configure the number of retry attempts, and the timeout periodConfiguring SSH features on the switch Secure ShellSSH encryption of management messages Generating RSA Host and Server Keys for SSH access SSH Integration with RADIUS/TACACS+ AuthenticationRS G8000 config# ssh generate-host-key RS G8000 config# ssh generate-server-keyEnd User Access Control Considerations for configuring End User AccountsUser Access Control Setting up User IDsDefining a User’s access level Listing current UsersLogging into an End User account Enabling or Disabling a UserRackSwitch G8000 Application Guide 38 „ Chapter 1 Accessing the SwitchBMD00041, November Port-based Network Access Control „ “Extensible Authentication Protocol over LAN” on page„ “802.1X authentication process” on page „ “Configuration guidelines” on pageExtensible Authentication Protocol over LAN 802.1X authentication process Port UnauthorizedPort Authorized EAPoL message exchange 802.1X port states „ Unauthorized„ Authorized „ Force UnauthorizedSupported RADIUS attributes RackSwitch G8000 Application Guide44 „ Chapter 2 Port-based Network Access Control Table 2 Support for RADIUS AttributesConfiguration guidelines RackSwitch G8000 Application Guide 46 „ Chapter 2 Port-based Network Access ControlBMD00041, November VLANs CHAPTER„ “VLANs and Port VLAN ID Numbers” on page „ “VLAN Tagging” on page „ “VLAN Topologies and Design Considerations” on pageOverview VLANs and Port VLAN ID Numbers VLAN numbersViewing VLANs Viewing and Configuring PVIDs PVID numbersVLAN Tagging Figure 3-1 Default VLAN settings BS45010AFigure 3-2 Port-based VLAN assignment Figure 3-3 802.1Q tagging after port-based VLAN assignmentBefore Figure 3-4 802.1Q tag assignment Figure 3-5 802.1Q tagging after 802.1Q tag assignmentuntagged packet 16 bitsVLAN configuration rules VLAN Topologies and Design ConsiderationsMultiple VLANs with Tagging Adapters ComponentDescription Component DescriptionVLAN configuration example 1. Enable VLAN tagging on server ports that support multiple VLANs2. Enable tagging on uplink ports that support multiple VLANs 3. Configure the VLANs and their member portsPrivate VLANs Private VLAN portsConfiguration example Configuration guidelines1. Select a VLAN and define the Private VLAN type as primary 2. Configure a secondary VLAN and map it to the primary VLAN 3. Verify the configurationRackSwitch G8000 Application Guide enableRackSwitch G8000 Application Guide 62 „ Chapter 3 VLANsBMD00041, November Ports and Trunking „ “Configurable Trunk Hash Algorithm” on pageCHAPTER „ ““Overview” on page 64” „ “Port Trunking Example” on pageBuilt-In fault tolerance Statistical load distributionOverview Before you configure static trunks Static trunk group configuration rules„ All trunk members must be in the same Spanning Tree Group STG and can belong to only one Spanning Tree Group STG. However if all ports are tagged, then all trunk ports can belong to multiple STGs Port Trunking Example Trunk 3 Ports 2, 23, andTrunk 1 Ports 1, 7, and 1. Follow these steps on the G80002. Repeat the process on the other switch 3. Connect the switch ports that will be members in the trunk group4. Examine the trunking information on each switch RS G8000 config# portchannel 1 member 1,7,32Configurable Trunk Hash Algorithm Link Aggregation Control Protocol Admin keyEach port on the switch can have one of the following LACP modes LACP configuration guidelines Configuring LACP3. Set the LACP mode Spanning Tree CHAPTER„ “Overview” on page „ “Rapid Spanning Tree Protocol” on page „ “Per VLAN Rapid Spanning Tree” on pageOverview Table 5-1 Ports, Trunk Groups, and VLANsBridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUsBridge Priority Spanning Tree Group configuration guidelines Changing the Spanning Tree modePort Priority Port Path CostAssigning a VLAN to a Spanning Tree Group Creating a VLAN Rules for VLAN Tagged portsAdding and removing ports from STGs RackSwitch G8000 Application Guide BMD00041, NovemberChapter 5 Spanning Tree „ Rapid Spanning Tree Protocol Port state changesRSTP configuration guidelines Port Type and Link TypeEdge Port Link TypeRSTP configuration example Configure Rapid Spanning Tree1. Configure port and VLAN membership on the switch 2. Set the Spanning Tree mode to Rapid Spanning TreeDefault Spanning Tree configuration Per VLAN Rapid Spanning TreeWhy do we need multiple Spanning Trees? Figure 5-1 Two VLANs on one Spanning Tree GroupFigure 5-2 Two VLANs, each on a different Spanning Tree Group PVRST configuration guidelines Configuring PVRST1. Set the Spanning-tree mode to PVRST+ Multiple Spanning Tree Protocol MSTP RegionCommon Internal Spanning Tree MSTP configuration guidelines Passing VLAN Blocking VLANRackSwitch G8000 Application Guide Blocking VLANConfiguring Multiple Spanning Tree Groups 2. Configure Multiple Spanning Tree ProtocolRackSwitch G8000 Application Guide enablemember memberConfiguration Guidelines Configuring Fast Uplink ConvergenceFast Uplink Convergence RackSwitch G8000 Application Guide 92 „ Chapter 5 Spanning TreeBMD00041, November Quality of Service „ “Overview” on page „ “Using ACL Filters” on page„ “Using Storm Control Filters” on page „ “Using DSCP Values to Provide QoS” on pagePermit/Deny FilterCOS Queue OverviewUsing ACL Filters MAC Extended ACLsIP Standard ACLs IP Extended ACLsRackSwitch G8000 Application Guide RS G8000 config# access-list ip extendedRS G8000 config# no access-list ip extended Table 6-1 Well-known protocol typesUnderstanding ACL priority Assigning ACLs to a portPort 1 access group ACL IP Extended ACL IP ExtendedViewing ACL statistics ACL configuration examples Example1. Configure an Access Control List 3. Verify the configurationUse this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses port 10 with source IP from the class 100.10.1.0/24 and destination IP 200.20.2.2 is denied 1. Configure an Access Control ListExample 2. Assign the ACL to port1. Configure an Access Control List 1. Configure an Access Control ListRackSwitch G8000 Application Guide config# ip access-list ip extended2. Configure IP ACLs to deny all other traffic 4. Configure a MAC ACL to deny all other trafficExample RackSwitch G8000 Application Guide RS G8000 config# interface portRS G8000 config-if# ip access-group 1103 inUsing Storm Control Filters Configuring storm controlBroadcast storms Using DSCP Values to Provide QoS Differentiated Services Concepts7 6 5 4 The switch can perform the following actions to the DSCP Per Hop Behavior QoS Levels Default QoS Service LevelsRackSwitch G8000 Application Guide Service LevelDSCP-to-802.1p mapping Using 802.1p Priority to Provide QoS Figure 6-3 Layer 2 802.1q/802.1p VLAN tagged packet802.1p configuration example Queuing and Scheduling1. Configure a port’s default 802.1p priority value to Remote Monitoring OverviewCHAPTER Configuring RMON statistics RMON group 1-Statistics1. Enable RMON on a port 2. Configure the RMON statistics on a portRMON group 2-History History MIB Object IDRS G8000# show rmon history RMON group 3-Alarms Configuring RMON History1. Enable RMON on a port 2. Configure the RMON History parameters for a portAlarm MIB objects Configuring RMON AlarmsExample Configure RMON events RMON group 9-Events1. Configure the RMON Alarm parameters to track ICMP messages 1. Configure the RMON event parametersBasic IP Routing „ “Dynamic Host Configuration Protocol” on pageCHAPTER „ “IP Routing Benefits” on pageIP Routing Benefits Routing Between IP Subnets Figure 8-1 The Router Legacy Network„ Traffic to the router increases, increasing congestion Example of Subnet Routing Figure 8-2 Switch-Based Routing TopologyUsing VLANs to segregate Broadcast Domains Configuration example2. Assign an IP interface for each subnet attached to the switch Table 8-1 Subnet Routing Example IP Address Assignments4. Add the switch ports to their respective VLANs RackSwitch G8000 Application Guideenable enable6. Configure the default gateway to the routers’ addresses 7. Enable IP routing8. Verify the configuration 5. Assign a VLAN to each IP interfaceDynamic Host Configuration Protocol RackSwitch G8000 Application Guide 128 „ Chapter 8 Basic IP RoutingBMD00041, November IGMP CHAPTER„ “IGMP Snooping” on page „ “IGMPv3 Snooping” on page „ “Static Multicast Router” on pageIGMP Snooping RS G8000 config# no ip igmp floodFastLeave IGMPv3 SnoopingRS G8000 config# ip igmp fastleave VLAN number IGMP Snooping configuration example Configure IGMP SnoopingRS G8000 config# no ip igmp snoop igmpv3 exclude RS G8000 config# ip igmp snoop igmpv3 sourcesRackSwitch G8000 Application Guide 5. View dynamic IGMP informationRS G8000# show ip igmp groups RS G8000# show ip igmp mrouterConfigure a Static Multicast Router Static Multicast Router2. Verify the configuration High Availability CHAPTER„ “Uplink Failure Detection” on page BMD00041, NovemberUplink Failure Detection Figure 10-1 Uplink Failure Detection exampleFailure Detection Pair Spanning Tree Protocol with UFDConfiguration guidelines „ Link to Monitor LtMConfiguring UFD Monitoring UFD1. Configure Network Adapter Teaming on the servers 2. Assign the Link to Monitor LtM portsTroubleshooting APPENDIX A„ “Monitoring Ports” on page BMD00041, NovemberMonitoring Ports Figure A-1 Monitoring PortsConfiguring Port Mirroring Port Mirroring behavior2. Enable port mirroring 3. View the current configurationRackSwitch G8000 Application Guide 142 „ Appendix A TroubleshootingBMD00041, November Symbols IndexNumerics