Cabletron Systems 9032578-05 - page 296

Chapter 19: Access Control List Configuration Guide

270 SmartSwitch Router User Reference Manual

criteria (in this case, flows from source address 1.2.2.2). Then you use a rate-limit

command to specify what happens to packets that match the selection criteria (in this

example, drop them if their bandwidth usage exceeds 10 Mbps). The following commands

illustrate this example.

This command creates a Profile ACL called prof2 that uses as its selection criteria all

packets originating from source address 1.2.2.2:

The following command creates a rate limit definition that causes flows matc hing Profile

ACL prof2’s selection criteria (that is, traffic from 1.2.2.2) to be restricted to 10 Mbps for

each flow. If this rate limit is exceeded, the packets are dropped.

When the rate limit definition is applied to an interface (with the rate-limit apply

interface command), packets in flows originating from source address 1.2.2.2 are dropped

if their bandwidth usage exceeds 10 Mbps.

See “Limiting Traffic Rate” on page 303 for more information on using the rate-limit

command.

Using Profile ACLs with Dynamic NAT

Network Address Translation (NAT) allows you to map an IP address used within one

network to a different IP address used within another network. NAT is often used to map

addresses used in a private, local intranet to one or more addresses used in the public,

global Internet.

The SSR supports two kinds of NAT: static NAT and dynamic NAT. With dynamic NAT, an

IP address within a range of local IP addresses is mapped to an IP address within a range

of global IP addresses. For example, you can configure IP addresses on network

10.1.1.0/24 to use an IP address in the range of IP addresses in network 192.50.20.0/24.

You can use a Profile ACL to define the ranges of local IP addresses.

The following command creates a Profile ACL called local. The local profile specifies as its

selection criteria the range of IP addresses in network 10.1.1.0/24..

Note: When a Profile ACL is defined for dynamic NAT, only the source IP address field

in the acl statement is evaluated. All other fields in the acl statement are ignored.

ssr(config)# acl prof2 permit ip 1.2.2.2

ssr(config)# rate-limit client1 input acl prof2 rate-limit 10000000

exceed-action drop-packets

ssr(config)# acl local permit ip 10.1.1.0/24

Contents

Main Page Regulatory Compliance Information Regulatory Compliance Statements Industry Canada Compliance Statement VCCI Compliance Statement Safety Information: Class 1 Laser Transceivers Laser Radiation and Connectors Cabletron Systems, Inc. Page Cabletron Systems Sales and Service, Inc. Page Cabletron Systems Limited Page Declaration of Conformity Addendum Contents Chapter 1: Introduction............................................................................3 Chapter 2: Hot Swapping Line Cards and Control Modules................ 13 Chapter 3: Bridging Configuration Guide............................................. 21 Chapter 4: SmartTRUNK Configuration Guide......................................35 Chapter 5: ATM Configuration Guide....................................................41 Chapter 6: Packet-over-SONET Configuration Guide........................... 57 Chapter 7: DHCP Configuration Guide.................................................. 67 Chapter 8: IP Routing Configuration Guide.......................................... 77 Chapter 9: VRRP Configuration Guide...................................................91 Chapter 10: RIP Configuration Guide...................................................105 Chapter 11: OSPF Configuration Guide...............................................111 Chapter 12: BGP Configuration Guide.................................................125 Chapter 13: Routing Policy Configuration Guide................................161 Chapter 14: Multicast Routing Configuration Guide......................... 197 Chapter 15: IP Policy-Based Forwarding Configuration Guide.......... 207 Chapter 16: Network Address Translation Configuration Guide...... 219 Chapter 17: Web Hosting Configuration Guide..................................231 Chapter 18: IPX Routing Configuration Guide....................................249 Chapter 19: Access Control List Configuration Guide........................ 259 Chapter 20: Security Configuration Guide.......................................... 275 Chapter 21: QoS Configuration Guide.................................................291 Chapter 22: Performance Monitoring Guide...................................... 309 Chapter 23: RMON Configuration Guide............................................ 313 Chapter 24: LFAP Configuration Guide................................................329 Chapter 25: WAN Configuration Guide...............................................333 Appendix A: New Features Supported on Line Cards........................357 Page About This Manual Related Documentation Document Conventions Page Chapter 1 Introduction Configuration Files Using the Command Line Interface Command Modes Getting Help with CLI Commands Page Line Editing Commands Page Displaying and Changing Configuration Information Page Port Names 1 2 5 6 Page Page Hot Swapping Line Cards Deactivating the Line Card Removing the Line Card Installing a New Line Card Hot Swapping One Type of Line Card With Another Hot Swapping a Secondary Control Module Deactivating the Control Module Removing the Control Module Installing a Control Module Hot Swapping a Switching Fabric Module (SSR 8600 only) Removing the Switching Fabric Module Installing a Switching Fabric Module Page Page Bridging Modes (Flow-Based and Address-Based) VLAN Overview Page SSR VLAN Support Page Configuring SSR Bridging Functions Configuring Address-based or Flow-based Bridging Page Configuring Spanning Tree Adjusting Spanning-Tree Parameters Page Page Configuring a Port- or Protocol-Based VLAN Configuring VLAN Trunk Ports Configuring VLANs for Bridging Configuring Layer-2 Filters Monitoring Bridging Creating an IP or IPX VLAN Creating a non-IP/non-IPX VLAN Chapter 4 SmartTRUNK Overview Configuring SmartTRUNKs Creating a SmartTRUNK Add Physical Ports to the SmartTRUNK Specify Traffic Distribution Policy (Optional) Monitoring SmartTRUNKs Example Configurations The following is the SmartTRUNK configuration for the SSR labeled R1 in the diagram: The following is the SmartTRUNK configuration for the SSR labeled S1 in the diagram: The following is the SmartTRUNK configuration for the SSR labeled S2 in the diagram: Page Chapter 5 ATM Configuration ATM Overview Virtual Channels Creating a Virtual Channel Service Class Definition Creating a Service Class Definition Applying a Service Class Definition Cell Scrambling Enabling Cell Scrambling Cell Mapping Selecting the Cell Mapping Format Creating a Non-Zero VPI Setting the Bit Allocation for VPI Displaying ATM Port Information Page Page Page Page Configuring an Interface on an Ethernet Port Creating a Virtual Channel Defining an ATM Service Class Applying an ATM Service Class Configuring an Interface on an ATM Port Configuring an IP Route Page Page Page Configuring IP Interfaces for PoS Links Configuring Packet-over-SONET Links Configuring Automatic Protection Switching Configuring Working and Protecting Ports Specifying Bit Error Rate Thresholds Monitoring PoS Ports Example Configurations APS PoS Links Between SSRs PoS Link Between the SSR and a Cisco Router Bridging and Routing Traffic Over a PoS Link Page Page Configuring DHCP Configuring an IP Address Pool Configuring Client Parameters Configuring a Static IP Address Grouping Scopes with a Common Interface Configuring DHCP Server Parameters Updating the Lease Database Monitoring the DHCP Server DHCP Configuration Examples Configuring Secondary Subnets Secondary Subnets and Directly-Connected Clients Interacting with Relay Agents Page Page Page Multicast Routing Protocols Configuring IP Interfaces and Parameters Configuring IP Interfaces to Ports Configuring IP Interfaces for a VLAN Specifying Ethernet Encapsulation Method Configuring Jumbo Frames Configuring Address Resolution Protocol (ARP) Configuring Reverse Address Resolution Protocol (RARP) Page Configuring DNS Parameters Configuring IP Services (ICMP) Configuring IP Helper Configuring Direct Broadcast Configuring Denial of Service (DOS) Monitoring IP Parameters Configuring Router Discovery Page Page Page Page Basic VRRP Configuration Symmetrical Configuration Page Multi-Backup Configuration Page Page Page Additional Configuration Page Monitoring VRRP ip-redundancy trace ip-redundancy show VRRP Configuration Notes Page Chapter 10 RIP Configuration RIP Overview Configuring RIP Enabling and Disabling RIP Configuring RIP Interfaces Configuring RIP Parameters Page Configuring RIP Route Preference Configuring RIP Route Default-Metric Monitoring RIP Configuration Example Page Chapter 11 OSPF OSPF Overview OSPF Multipath Configuring OSPF Enabling OSPF Configuring OSPF Interface Parameters Default Cost of an OSPF Interface Configuring an OSPF Area Configuring OSPF Area Parameters Creating Virtual Links Configuring Autonomous System External (ASE) Link Advertisements Configuring OSPF for Different Types of Interfaces Monitoring OSPF Page OSPF Configuration Examples Page Page Page Page Chapter 12 BGP Configuration BGP Overview The SSR BGP Implementation Basic BGP Tasks Setting the Autonomous System Number Setting the Router ID Configuring a BGP Peer Group Page Adding and Removing a BGP Peer Starting BGP Using AS-Path Regular Expressions Page Using the AS Path Prepend Feature BGP Configuration Examples BGP Peering Session Example Page IBGP Configuration Example Page Figure 10 shows a sample BGP configuration that uses the Routing group type. Figure 10. Sample IBGP Configuration (Routing Group Type) AS-64801 The following lines in the Cisco router configure OSPF: The following lines in the SSR6 set up peering with the Cisco router using the Routing group type. Page Page The gated.conf file for router SSR1 is as follows: The CLI configuration for router SSR2 is as follows: The gated.conf file for router SSR2 is as follows: EBGP Multihop Configuration Example Page The gated.conf file for router SSR1 is as follows: The CLI configuration for router SSR2 is as follows: The CLI configuration for router SSR3 is as follows: The gated.conf file for router SSR2 is as follows: Community Attribute Example Figure 12. Sample BGP Configuration (Specific Community) Page In Figure 13, router SSR11 has the following configuration: Page In Figure 13, router SSR10 has the following configuration: In Figure 13, router SSR14 has the following configuration: Page Local Preference Examples Page Page Multi-Exit Discriminator Attribute Example EBGP Aggregation Example Route Reflection Example Page Page Page Page Preference Import Policies Export Policies Specifying a Route Filter Aggregates and Generates Page Authentication Configuring Simple Routing Policies Redistributing Static Routes Redistributing Directly Attached Networks Redistributing RIP into RIP Redistributing RIP into OSPF Redistributing OSPF to RIP Redistributing Aggregate Routes Simple Route Redistribution Examples Page Page Configuring Advanced Routing Policies Export Policies Page Creating an Export Destination Creating an Export Source Import Policies Creating an Import Source Creating a Route Filter Creating an Aggregate Route Creating an Aggregate Destination Creating an Aggregate Source Examples of Import Policies Page Page Page Page Page Page Examples of Export Policies Page Page Page Page Page Page Page Page Page Page DVMRP Overview Configuring IGMP Configuring IGMP on an IP Interface Configuring IGMP Query Interval Configuring IGMP Response Wait Time Configuring Per-Interface Control of IGMP Membership Configuring DVMRP Starting and Stopping DVMRP Configuring DVMRP on an Interface Configuring DVMRP Parameters Configuring the DVMRP Routing Metric Configuring DVMRP TTL & Scope Configuring a DVMRP Tunnel Monitoring IGMP & DVMRP Page Page Page Page Configuring IP Policies Defining an ACL Profile Associating the Profile with an IP Policy Page Applying an IP Policy to an Interface IP Policy Configuration Examples Routing Traffic to Different ISPs Prioritizing Service to Customers Authenticating Users through a Firewall Firewall Load Balancing Monitoring IP Policies Page Page Page Page Configuring NAT Setting Inside and Outside Interfaces Setting NAT Rules Forcing Flows through NAT Managing Dynamic Bindings NAT and DNS NAT and ICMP Packets NAT and FTP Monitoring NAT Static Configuration Dynamic Configuration Page Dynamic NAT with IP Overload (PAT) Configuration Dynamic NAT with DNS Dynamic NAT with Outside Interface Redundancy Page Page Load Balancing Configuring Load Balancing Session Persistence Persistence Level Default Binding Timeout Optional Group or Server Operating Parameters Page Setting Server Status Load Balancing and FTP Allowing Access to Load Balancing Servers Setting Timeouts for Load Balancing Mappings Displaying Load Balancing Information Configuration Examples Domain Name Virtual IP TCP Port Real Server Domain Name Virtual IP TCP Port Real Server Group Name Virtual IP TCP Port Destination Server IP TCP Port Client IP Address Domain Name Virtua l IP Real Server Web Caching Configuring Web Caching Page Configuration Example Other Configurations Monitoring Web-Caching Page Chapter 18 IPX Routing IPX Routing Overview RIP (Routing Information Protocol) SAP (Service Advertising Protocol) Configuring IPX RIP & SAP IPX RIP IPX SAP Creating IPX Interfaces IPX Addresses Configuring IPX Interfaces and Parameters Configuring IPX Addresses to Ports Configuring Secondary Addresses on an IPX Interface Configuring IPX Interfaces for a VLAN Specifying IPX Encapsulation Method Configuring IPX Routing Enabling IPX RIP Enabling SAP Configuring Static Routes Configuring Static SAP Table Entries Controlling Access to IPX Networks Page Page Monitoring an IPX Network Page Page ACL Basics Defining Selection Criteria in ACL Rules Page How ACL Rules are Evaluated Implicit Deny Rule Allowing External Responses to Established TCP Connections Creating and Modifying ACLs Editing ACLs Offline Maintaining ACLs Using the ACL Editor Using ACLs Applying ACLs to Interfaces Applying ACLs to Services Applying ACLs to Layer-4 Bridging Ports Using ACLs as Profiles Page Page Page Page Enabling ACL Logging Monitoring ACLs Page Configuring SSR Access Security Configuring RADIUS Configuring TACACS Configuring TACACS Plus Configuring Passwords Layer-2 Security Filters Configuring Layer-2 Address Filters Configuring Layer-2 Port-to-Address Lock Filters Configuring Layer-2 Static Entry Filters Configuring Layer-2 Secure Port Filters Monitoring Layer-2 Security Filters Layer-2 Filter Examples Page Layer-3 Access Control Lists (ACLs) Layer-4 Bridging and Filtering Creating a Port-Based VLAN for Layer-4 Bridging Placing the Ports on the Same VLAN Enabling Layer-4 Bridging on the VLAN Creating ACLs to Specify Selection Criteria for Layer-4 Bridging Applying a Layer-4 Bridging ACL to a Port Notes Page Page Chapter 21 QoS Configuration QoS & Layer-2/Layer-3/Layer-4 Flow Overview Layer-2 and Layer-3 & Layer-4 Flow Specification Precedence for Layer-3 Flows SSR Queuing Policies Traffic Prioritization for Layer-2 Flows Configuring Layer-2 QoS 802.1p Priority Mapping Table 9: Default Priority Map 802.1p CoS Val ue s Internal Priority Queue Page Traffic Prioritization for Layer-3 & Layer-4 Flows Configuring IP QoS Policies Configuring IPX QoS Policies Configuring SSR Queueing Policy Allocating Bandwidth for a Weighted-Fair Queuing Policy Weighted Random Early Detection (WRED) ToS Re wri te Configuring ToS Rewrite for IP Packets Page Monitoring QoS Limiting Traffic Rate Rate Limiting Modes Per-Flow Rate Limiting Port Rate Limiting Aggregate Rate Limiting Example Configurations Page Displaying Rate Limit Information Chapter 22 Performance Monitoring Guide Performance Monitoring Overview Page Configuring the SSR for Port Mirroring Monitoring Broadcast Traffic Page Page Configuring and Enabling RMON Example of RMON Configuration Commands RMON Groups Page Control Tables Using RMON Configuring RMON Groups Page Configuration Examples Displaying RMON Information RMON CLI Filters Page Troubleshooting RMON Page Allocating Memory to RMON Page Page Cabletrons Traffic Accounting Services Configuring the LFAP Agent on the SSR Page Monitoring the LFAP Agent on the SSR Page Configuring WAN Interfaces Primary and Secondary Addresses Static, Mapped, and Dynamic Peer IP/IPX Addresses Page Forcing Bridged Encapsulation Packet Compression Page Packet Encryption WAN Quality of Service Page Frame Relay Overview Virtual Circuits Configuring Frame Relay Interfaces for the SSR Defining the Type and Location of a Frame Relay and VC Interface Setting up a Frame Relay Service Profile Applying a Service Profile to an Active Frame Relay WAN Port Monitoring Frame Relay WAN Ports Frame Relay Port Configuration Page Point-to-Point Protocol (PPP) Overview Use of LCP Magic Numbers Configuring PPP Interfaces Defining the Type and Location of a PPP Interface Setting up a PPP Service Profile Applying a Service Profile to an Active PPP Port Configuring Multilink PPP Bundles Monitoring PPP WAN Ports PPP Port Configuration Page WAN Configuration Examples Simple Configuration File SmartSwitch Router User Reference Manual 351 Multi-Router WAN Configuration R3 Figure 27. Multi-router WAN configuration R5 R4 Router R1 Configuration File The following configuration file applies to Router R1. Router R2 Configuration File The following configuration file applies to Router R2. SmartSwitch Router User Reference Manual 353 Router R3 Configuration File The following configuration file applies to Router R3. Router R4 Configuration File The following configuration file applies to Router R4. 354 SmartSwitch Router User Reference Manual Router R5 Configuration File The following configuration file applies to Router R5. Router R6 Configuration File The following configuration file applies to Router R6. SmartSwitch Router User Reference Manual 355 Page Page Line Cards Introduced at the 3.0 Firmware Release (-AA Revision) Line Cards Introduced at the 3.1 Firmware Release (T-Series) Page SSR 2000 Line Cards New Features that Require Specific Line Cards Network Address Translation Page Load Balancing (LSNAT) Layer 4 Bridging Per-Protocol VLAN QoS Rate Limiting ToS Rew ri te Established Bit ACL Multiple IPX Encapsulation Weighted Random Early Detection (WRED) Jumbo Frames Summary Identifying a Line Card