Using ACL Groups, Quality of Service | HP 445946-001 manual

Quality of Service

Using ACL Groups

Access Control Lists (ACLs) allow you to classify packets according to a particular content in the packet header, such as the source address, destination address, source port number, destination port number, and others. Packet classifiers identify flows for more processing.

You can define a traffic profile by compiling a number of ACLs into an ACL Group, and assigning the ACL Group to a port.

ACL Groups are assigned and enabled on a per-port basis. Each ACL can be used by itself or in combination with other ACLs or ACL Groups on a given switch port.

ACLs can be grouped in the following manner:

•Access Control Lists

Access Control Lists (ACLs) allow you to classify packets according to a particular content in the packet header, such as the source address, destination address, source port number, destination port number, and others. Packet classifiers identify flows for more processing.

The HP 10GbE switch supports up to 384 ACLs. Each ACL defines one filter rule. Each filter rule is a collection of matching criteria, and can include an action (permit or deny the packet). For example:

ACL 200: VLAN = 1

SIP = 10.10.10.1 (255.255.255.0) Action = permit

•Access Control Groups

An Access Control Group (ACL Group) is a collection of ACLs. For example:

ACL Group 1

ACL 382:

VLAN = 1

SIP = 10.10.10.1 (255.255.255.0)

Action = permit

ACL 383:

VLAN = 2

SIP = 10.10.10.2 (255.255.255.0)

Action = deny

ACL 384:

PRI = 7

DIP = 10.10.10.3 (255.255.0.0)

Action = permit

In the example above, each ACL defines a filter rule. ACL 383 has a higher precedence than ACL 382, based on its number.

Use ACL Groups to create a traffic profile by gathering ACLs into an ACL Group, and assigning the ACL Group to a port. The HP 10GbE switch supports up to 384 ACL Groups. Each ACL group supports up to 96 ACLs.

90

Image 90

HP 445946-001 manual Using ACL Groups, Quality of Service

Contents

HP 10Gb Ethernet BL-c Switch Part number First edition June Legal notices Contents Configuring port-based traffic control Configuring Lacp802.1x authentication process 802.1x port states Adding a Vlan to a Spanning Tree Group Creating a Vlan Configuration guidelinesBridge priority Port priority Port path cost Edge port Link type 106 100105 109 141 131Internal versus external routing 134 155 173 Configuring the switch for tracking 177167 175 Accessing the switch Accessing the switchIntroduction Typographical conventions Typeface or Meaning Example SymbolAdditional references Management Network Connecting through the console port Connecting through TelnetConnecting through Secure Shell Using the command line interfaces Configuring an IP interface Using the Browser-based Interface Apply, verify, and save the configuration For more details, see Configuring Snmp trap hosts Using Simple Network Management ProtocolDefault configuration Snmp User configuration Cfg/sys/ssnmp/snmpv3/usm x/auth md5sha View based configurations CLI user equivalent CLI oper equivalent Configuring Snmp trap hostsConfigure a user with no authentication or password SNMPv1 trap host Accessing the switch Configure an entry in the notify table Sys/ssnmp/snmpv3/tparam x/uname SNMPv2 trap host configuration SNMPv3 trap host configuration Secure access to the switch Setting allowable source IP address ranges Radius authentication and authorization Configuring an IP address range for the management networkHow Radius authentication works Configuring Radius on the switch CLI example Apply and save the configuration Configuring Radius on the switch BBI example Click Submit User account Radius authentication featuresUser accounts for Radius users Description and tasks performed User name/access User service type Value TACACS+ authenticationAccessing the switch User access levels Radius attributes for user privileges Authorization How TACACS+ authentication worksTACACS+ authentication features User access level TACACS+ level Accounting Configure the TACACS+ secret and second secret Configure custom privilege-level mapping optional Configuring TACACS+ authentication on the switch BBI example Secure Shell and Secure Copy Configuring SSH and SCP features CLI example Enabling or disabling SSH Switch prompts you for the scpadmin password Using SSH and SCP client commandsEnter the following command to log in to the switch For example Generating RSA host and server keys for SSH access SSH and SCP encryption of management messages User access control SSH/SCP integration with Radius and TACACS+ authenticationUser account Description Password Setting up user IDs Define the user name and passwordEnable the user ID Ports and trunking Ports on the switchPorts and trunking Port number Port alias Ports and trunking Ethernet switch port names Before you configure trunksBuilt-in fault tolerance Port trunk groups Trunk group configuration rules Cfg/port x/cur Port trunking example Configuring trunk groups CLI example On Switch 1, configure trunk groups 5On Switch 2, configure trunk groups 4 Configuring trunk groups BBI example Click Submit Page Configurable Trunk Hash algorithm Actor Switch Partner SwitchLink Aggregation Control Protocol Page Apply and verify the configuration Configuring LacpDefine the admin key on port Save your new configuration changes Extensible authentication protocol over LAN Port-based Network Access and traffic controlPort-based Network Access control Port-based Network Access and traffic control 802.1x authentication process EAPoL Message Exchange 802.1x port states Supported Radius attributes Attribute Attribute Value EAPoL configuration guidelines Port-based traffic control Configuring port-based traffic control VLANs and port Vlan ID numbers VLANsOverview Vlan numbers Pvid numbers Viewing and configuring PVIDsPort configuration Viewing VLANs Vlan tagging VLANs VLANs VLANs and IP interfaces Vlan topologies and design considerations Vlan configuration rules Multiple Vlans with tagging Component Description Configuring the example network Configuring ports and VLANs on Switch 1 CLI exampleVLANs Multiple VLANs with tagging # add Add port 18 to Vlan Current Ports for Configuring ports and VLANs on Switch 2 CLI example Configuring ports and VLANs on Switch 1 BBI example VLANs Enable the port and enable Vlan tagging FDB static entries Cfg/l2/fdb/static Configuring a static FDB entry Trunking support for FDB static entries Spanning Tree Protocol Bridge Protocol Data UnitsSpanning Tree Protocol Spanning Tree Group configuration guidelines Default Spanning Tree configurationDetermining the path for forwarding BPDUs Rules for Vlan tagged ports Adding a Vlan to a Spanning Tree GroupCreating a Vlan Adding and removing ports from STGs Multiple Spanning Trees Why do we need Multiple Spanning Trees?Switch element Belongs to Assigning cost to ports and trunk groups Vlan participation in Spanning Tree Groups Two VLANs on separate instances of Spanning Tree Protocol Configuring Multiple Spanning Tree Groups Configuring Switch 1 CLI exampleConfiguring Switch 2 CLI example Configuring Switch 1 BBI example Page Configuring Fast Uplink Convergence Configuring Port Fast ForwardingConfiguration guidelines Port Fast Forwarding Port state changes Rstp and MstpRapid Spanning Tree Protocol Rstp and Mstp Rstp configuration guidelines Rstp configuration examplePort type and link type Configuring Rapid Spanning Tree Protocol BBI example Mstp region Rstp and Mstp Apply, verify, and save the configurationMultiple Spanning Tree Protocol Common Internal Spanning Tree Configuring Multiple Spanning Tree Protocol CLI example Mstp configuration guidelinesMstp configuration example Assign VLANs to Spanning Tree Groups Configuring Multiple Spanning Tree Protocol BBI example Click Submit Page Apply, verify, and save the configuration Quality of Service Quality of Service Using ACL filters Summary of packet classifiersNumber Protocol Name Application Quality of Service Well-known protocol typesNumber Well-krown TCP flag values Summary of ACL actions Understanding ACL precedencePrecedence Group ACLs Precedence Level Using ACL Groups Metering ACL Metering and Re-markingViewing ACL statistics Re-marking ACL configuration examples Configure Access Control Lists CLI example Configure Access Control Lists and Groups BBI example Click Submit Page Quality of Service Add the ACL to the port Per Hop Behavior Using Dscp values to provide QoSDifferentiated Services concepts Drop Precedence Class QoS levels Using 802.1p priorities to provide QoSService Level Default PHB 802.1p Priority Class selector priority classesPage 802.1p configuration CLI example 802.1p configuration BBI exampleConfigure a port’s default 802.1 priority Quality of Service Select a port 101 Quality of Service Set the 802.1p priority value 102 103 Page Queuing and scheduling Routing between IP subnets Basic IP routingIP routing benefits Basic IP routingPage Page Example of subnet routing Subnet Devices IP AddressesInterface Devices IP Interface Address Devices IP Interface Switch Port Using VLANs to segregate broadcast domainsEnable, apply, and verify the configuration Add the switch ports to their respective VLANs 110 111 Dynamic Host Configuration Protocol Dhcp relay agent Dhcp relay agent configuration Distance vector protocol Routing updatesRouting Information Protocol Stability RIPv1 RIPv2 in RIPv1 compatibility modeRIP Features RIPv2 Multicast DefaultAuthentication Metric Add IP interfaces to VLANs RIP configuration exampleAdd VLANs for routing interfaces Cfg/l3/frwd/on before you turn RIP on Igmp Snooping Igmp Snooping IGMPv3 FastLeave Configuring the range Configuring the actionIgmp Filtering Enable IGMPv3 Snooping optional Igmp Snooping configuration exampleConfiguring Igmp Snooping CLI example Static multicast router Enable Igmp Filtering on the switch Configuring Igmp Filtering CLI exampleConfiguring a Static Mrouter CLI example Define an Igmp Filter Configuring Igmp Snooping BBI example Igmp Snooping Enable Igmp Snooping Apply, verify, and save the configuration 124 Configuring Igmp Filtering BBI example Igmp Snooping Define the Igmp Filter Select Layer 3 Igmp Igmp Filters Add Filter126 Page Apply, verify, and save the configuration 128 Configuring a Static Multicast Router BBI example Configure Static Mrouter Click the Configure context button Apply, verify, and save the configuration Igmp Snooping 130 Ospf overview Types of Ospf areas Types of Ospf routing devices Ospf area types Neighbors and adjacencies Link-State DatabaseShortest Path First Tree Ospf implementation in HP 10GbE switch software Configurable parametersInternal versus external routing Defining areas Assigning the area indexArea index set to an arbitrary value Using the area ID to assign the Ospf area number Interface costAttaching an area to a network Default routes Electing the designated router and backupSummarizing routes Virtual links Router ID Enable Ospf authentication for Area 2 on switch Enable Ospf MD5 authentication for Area 2 on switch Configure MD5 key ID for Area 0 on switches 1, 2,Assign MD5 key ID to Ospf interfaces on switches 1, 2, Assign MD5 key ID to Ospf virtual link on switches 2 Ospf configuration examples Ospf features not supported in this releaseExample 1 Simple Ospf domain CLI example Example 1 Simple Ospf domain BBI example Apply, verify, and save the configuration 143 Ospf Click Submit Configure the Ospf area Click Submit Select Add Ospf Area146 Ospf Click Submit Select Add Ospf Interface 148 Apply, verify, and save the configuration 149 Configuring Ospf for a virtual link on Switch a Example 2 Virtual linksDefine the backbone Switch B in step Configuring Ospf for a virtual link on Switch BConfigure the virtual link Attach the network interface to the transit area Example 3 Summarizing routes Other Virtual Link OptionsDefine the transit area 153 Verifying Ospf configuration Remote monitoring Rmon group 1-statisticsRemote monitoring Configuring Rmon Statistics CLI example Configuring Rmon Statistics BBI exampleView Rmon statistics for the port Remote monitoring Select a port 157 Remote monitoring Enable Rmon on the port Rmon group 2-history Configure the Rmon History parameters History MIB objects Configure Rmon History BBI example Apply, verify, and save the configuration 160 Rmon group 3-alarms Alarm MIB objects Configure Rmon Alarms BBI example Configure the Rmon Alarm parameters to track Icmp messages Apply, verify, and save the configuration 163 164 Configure the Rmon Event parameters Configuring Rmon Events CLI exampleRemote monitoring Apply, verify, and save the configuration Rmon group 9-events Configuring Rmon Events BBI example Apply, verify, and save the configuration 166 High availability Uplink Failure DetectionHigh availability Failure Detection Pair Spanning Tree Protocol with UFD Configuring Uplink Failure Detection Monitoring Uplink Failure Detection Turn UFD on Configuring UFD on Switch 1 CLI exampleConfiguring UFD on Switch 2 CLI example Create a trunk group of uplink ports 18-21 to monitor Configuring Uplink Failure Detection BBI example Apply, verify, and save the configuration 172 Virtual router Vrrp overviewVrrp components Virtual router MAC address Selecting the master Vrrp router Master and backup virtual routerVrrp operation Virtual Interface Router Failover methods Active-Active redundancy HP 10GbE switch extensions to Vrrp Tracking Vrrp router priorityParameter Configuring the switch for tracking Virtual router deployment considerationsAssigning Vrrp virtual router ID Task 1 Configure Switch a High availability configurationsActive-Active configuration Configure ports Turn off Spanning Tree Protocol globally High availability Configure client and server interfacesTurn on Vrrp and configure two Virtual Interface Routers 179 Task 2 Configure Switch B Task 1 Configure Switch a BBI example Vrrp Virtual Router 1# Click Submit 183 184 Page High availability Enable Vrrp processing Click Submit Select Add Virtual Router 187 Click Submit High availability 189 Apply, verify, and save the configuration 190 Troubleshooting tools Troubleshooting toolsPort Mirroring View the current configuration Configuring Port Mirroring CLI exampleEnable Port Mirroring Select the ports that you want to mirror Configuring Port Mirroring BBI example Click Add Mirrored Port Other network troubleshooting techniques Page Index Index197 198