ACL configuration examples | HP 445946-001 specification

Quality of Service

ACL configuration examples

Configure Access Control Lists (CLI example)

The following configuration examples illustrate how to use Access Control Lists (ACLs) to block traffic. These basic configurations illustrate common principles of ACL filtering.

NOTE: Each ACL filters traffic that ingresses on the port to which the ACL is added. The egrport classifier filters traffic that ingresses the port to which the ACL is added, and then egresses the port specified by egrport. In most common configurations, egrport is not used.

•Example 1 Use this configuration to block traffic to a specific host.

>> Main# /cfg/acl/acl		255	(Define ACL 255)
>> ACL 255# ipv4/dip 100.10.1.116 255.255.255.255
>> Filtering IPv4# ..
>> ACL 255# action deny
>> ACL 255# /cfg/port 20/aclqos			(Add ACL to port 20)
>> Port 20	ACL# add acl 255
>> Port 20	ACL# apply
>> Port 20	ACL# save

In this example, all traffic that ingresses on port 20 is denied if it is destined for the host at IP address 100.10.1.116.

•Example 2 Use this configuration to block traffic from a network destined for a specific host address.

>> Main# /cfg/acl/acl 256		(Define ACL 256)
>> ACL 256# ipv4/sip 100.10.1.0 255.255.255.0
>> ACL 256# ipv4/dip 200.20.1.116 255.255.255.255
>> Filtering IPv4# ..
>> ACL 256# action deny
>> ACL 256# /cfg/port 20/aclqos		(Add ACL to port 20)
>> Port 20	ACL# add acl 256
>> Port 20	ACL# apply
>> Port 20	ACL# save

In this example, all traffic that ingresses on port 20 with source IP from the class 100.10.1.0/24 and destination IP 200.20.1.116 is denied.

92

Image 92

HP 445946-001 manual ACL configuration examples, Configure Access Control Lists CLI example

Contents

HP 10Gb Ethernet BL-c Switch Part number First edition June Legal notices Contents Configuring Lacp 802.1x authentication processConfiguring port-based traffic control 802.1x port states Configuration guidelines Bridge priority Port priority Port path costAdding a Vlan to a Spanning Tree Group Creating a Vlan Edge port Link type 100 105106 109 131 Internal versus external routing 134141 155 Configuring the switch for tracking 177 167173 175 Introduction Accessing the switchAccessing the switch Typeface or Meaning Example Symbol Additional referencesTypographical conventions Management Network Connecting through Secure Shell Connecting through the console portConnecting through Telnet Using the command line interfaces Configuring an IP interface Using the Browser-based Interface Apply, verify, and save the configuration Using Simple Network Management Protocol Default configurationFor more details, see Configuring Snmp trap hosts Snmp User configuration Cfg/sys/ssnmp/snmpv3/usm x/auth md5sha View based configurations CLI user equivalent Configuring Snmp trap hosts Configure a user with no authentication or passwordCLI oper equivalent SNMPv1 trap host Accessing the switch Configure an entry in the notify table Sys/ssnmp/snmpv3/tparam x/uname SNMPv2 trap host configuration SNMPv3 trap host configuration Secure access to the switch Setting allowable source IP address ranges How Radius authentication works Radius authentication and authorizationConfiguring an IP address range for the management network Configuring Radius on the switch CLI example Apply and save the configuration Configuring Radius on the switch BBI example Click Submit Radius authentication features User accounts for Radius usersUser account Description and tasks performed TACACS+ authentication Accessing the switch User access levelsUser name/access User service type Value Radius attributes for user privileges How TACACS+ authentication works TACACS+ authentication featuresAuthorization User access level TACACS+ level Accounting Configure the TACACS+ secret and second secret Configure custom privilege-level mapping optional Configuring TACACS+ authentication on the switch BBI example Secure Shell and Secure Copy Configuring SSH and SCP features CLI example Enabling or disabling SSH Using SSH and SCP client commands Enter the following command to log in to the switchSwitch prompts you for the scpadmin password For example Generating RSA host and server keys for SSH access SSH and SCP encryption of management messages User account Description Password User access controlSSH/SCP integration with Radius and TACACS+ authentication Enable the user ID Setting up user IDsDefine the user name and password Ports on the switch Ports and trunkingPorts and trunking Port number Port alias Before you configure trunks Built-in fault tolerancePorts and trunking Ethernet switch port names Port trunk groups Trunk group configuration rules Cfg/port x/cur Port trunking example On Switch 2, configure trunk groups 4 Configuring trunk groups CLI exampleOn Switch 1, configure trunk groups 5 Configuring trunk groups BBI example Click Submit Page Link Aggregation Control Protocol Configurable Trunk Hash algorithmActor Switch Partner Switch Page Configuring Lacp Define the admin key on portApply and verify the configuration Save your new configuration changes Port-based Network Access and traffic control Port-based Network Access controlExtensible authentication protocol over LAN Port-based Network Access and traffic control 802.1x authentication process EAPoL Message Exchange 802.1x port states Supported Radius attributes Attribute Attribute Value EAPoL configuration guidelines Port-based traffic control Configuring port-based traffic control VLANs OverviewVLANs and port Vlan ID numbers Vlan numbers Viewing and configuring PVIDs Port configurationPvid numbers Viewing VLANs Vlan tagging VLANs VLANs VLANs and IP interfaces Vlan topologies and design considerations Vlan configuration rules Multiple Vlans with tagging Component Description VLANs Multiple VLANs with tagging Configuring the example networkConfiguring ports and VLANs on Switch 1 CLI example # add Add port 18 to Vlan Current Ports for Configuring ports and VLANs on Switch 2 CLI example Configuring ports and VLANs on Switch 1 BBI example VLANs Enable the port and enable Vlan tagging FDB static entries Cfg/l2/fdb/static Configuring a static FDB entry Trunking support for FDB static entries Spanning Tree Protocol Spanning Tree ProtocolBridge Protocol Data Units Determining the path for forwarding BPDUs Spanning Tree Group configuration guidelinesDefault Spanning Tree configuration Adding a Vlan to a Spanning Tree Group Creating a VlanRules for Vlan tagged ports Adding and removing ports from STGs Why do we need Multiple Spanning Trees? Switch element Belongs toMultiple Spanning Trees Assigning cost to ports and trunk groups Vlan participation in Spanning Tree Groups Two VLANs on separate instances of Spanning Tree Protocol Configuring Switch 2 CLI example Configuring Multiple Spanning Tree GroupsConfiguring Switch 1 CLI example Configuring Switch 1 BBI example Page Configuring Port Fast Forwarding Configuration guidelinesConfiguring Fast Uplink Convergence Port Fast Forwarding Rstp and Mstp Rapid Spanning Tree ProtocolPort state changes Rstp and Mstp Port type and link type Rstp configuration guidelinesRstp configuration example Configuring Rapid Spanning Tree Protocol BBI example Rstp and Mstp Apply, verify, and save the configuration Multiple Spanning Tree ProtocolMstp region Common Internal Spanning Tree Mstp configuration guidelines Mstp configuration exampleConfiguring Multiple Spanning Tree Protocol CLI example Assign VLANs to Spanning Tree Groups Configuring Multiple Spanning Tree Protocol BBI example Click Submit Page Apply, verify, and save the configuration Quality of Service Quality of Service Number Protocol Name Using ACL filtersSummary of packet classifiers Quality of Service Well-known protocol types NumberApplication Well-krown TCP flag values Precedence Group ACLs Precedence Level Summary of ACL actionsUnderstanding ACL precedence Using ACL Groups ACL Metering and Re-marking Viewing ACL statisticsMetering Re-marking ACL configuration examples Configure Access Control Lists CLI example Configure Access Control Lists and Groups BBI example Click Submit Page Quality of Service Add the ACL to the port Using Dscp values to provide QoS Differentiated Services conceptsPer Hop Behavior Drop Precedence Class Using 802.1p priorities to provide QoS Service Level Default PHB 802.1p PriorityQoS levels Class selector priority classesPage Configure a port’s default 802.1 priority 802.1p configuration CLI example802.1p configuration BBI example Quality of Service Select a port 101 Quality of Service Set the 802.1p priority value 102 103 Page Queuing and scheduling Basic IP routing IP routing benefitsRouting between IP subnets Basic IP routingPage Page Interface Devices IP Interface Address Example of subnet routingSubnet Devices IP Addresses Using VLANs to segregate broadcast domains Enable, apply, and verify the configurationDevices IP Interface Switch Port Add the switch ports to their respective VLANs 110 111 Dynamic Host Configuration Protocol Dhcp relay agent Dhcp relay agent configuration Routing updates Routing Information ProtocolDistance vector protocol Stability RIPv2 in RIPv1 compatibility mode RIP FeaturesRIPv1 RIPv2 Default AuthenticationMulticast Metric RIP configuration example Add VLANs for routing interfacesAdd IP interfaces to VLANs Cfg/l3/frwd/on before you turn RIP on Igmp Snooping Igmp Snooping IGMPv3 FastLeave Igmp Filtering Configuring the rangeConfiguring the action Igmp Snooping configuration example Configuring Igmp Snooping CLI exampleEnable IGMPv3 Snooping optional Static multicast router Configuring Igmp Filtering CLI example Configuring a Static Mrouter CLI exampleEnable Igmp Filtering on the switch Define an Igmp Filter Configuring Igmp Snooping BBI example Igmp Snooping Enable Igmp Snooping Apply, verify, and save the configuration 124 Configuring Igmp Filtering BBI example 126 Igmp Snooping Define the Igmp FilterSelect Layer 3 Igmp Igmp Filters Add Filter Page Apply, verify, and save the configuration 128 Configuring a Static Multicast Router BBI example Configure Static Mrouter Click the Configure context button Apply, verify, and save the configuration Igmp Snooping 130 Ospf overview Types of Ospf areas Types of Ospf routing devices Ospf area types Shortest Path First Tree Neighbors and adjacenciesLink-State Database Internal versus external routing Ospf implementation in HP 10GbE switch softwareConfigurable parameters Area index set to an arbitrary value Defining areasAssigning the area index Attaching an area to a network Using the area ID to assign the Ospf area numberInterface cost Summarizing routes Default routesElecting the designated router and backup Virtual links Router ID Enable Ospf authentication for Area 2 on switch Configure MD5 key ID for Area 0 on switches 1, 2, Assign MD5 key ID to Ospf interfaces on switches 1, 2,Enable Ospf MD5 authentication for Area 2 on switch Assign MD5 key ID to Ospf virtual link on switches 2 Example 1 Simple Ospf domain CLI example Ospf configuration examplesOspf features not supported in this release Example 1 Simple Ospf domain BBI example Apply, verify, and save the configuration 143 Ospf Click Submit 146 Configure the Ospf areaClick Submit Select Add Ospf Area Ospf Click Submit Select Add Ospf Interface 148 Apply, verify, and save the configuration 149 Define the backbone Configuring Ospf for a virtual link on Switch aExample 2 Virtual links Configuring Ospf for a virtual link on Switch B Configure the virtual linkSwitch B in step Attach the network interface to the transit area Define the transit area Example 3 Summarizing routesOther Virtual Link Options 153 Verifying Ospf configuration Remote monitoring Remote monitoringRmon group 1-statistics View Rmon statistics for the port Configuring Rmon Statistics CLI exampleConfiguring Rmon Statistics BBI example Remote monitoring Select a port 157 Remote monitoring Enable Rmon on the port Rmon group 2-history Configure the Rmon History parameters History MIB objects Configure Rmon History BBI example Apply, verify, and save the configuration 160 Rmon group 3-alarms Alarm MIB objects Configure Rmon Alarms BBI example Configure the Rmon Alarm parameters to track Icmp messages Apply, verify, and save the configuration 163 164 Configuring Rmon Events CLI example Remote monitoring Apply, verify, and save the configurationConfigure the Rmon Event parameters Rmon group 9-events Configuring Rmon Events BBI example Apply, verify, and save the configuration 166 High availability High availabilityUplink Failure Detection Failure Detection Pair Spanning Tree Protocol with UFD Configuring Uplink Failure Detection Monitoring Uplink Failure Detection Configuring UFD on Switch 1 CLI example Configuring UFD on Switch 2 CLI exampleTurn UFD on Create a trunk group of uplink ports 18-21 to monitor Configuring Uplink Failure Detection BBI example Apply, verify, and save the configuration 172 Vrrp overview Vrrp componentsVirtual router Virtual router MAC address Master and backup virtual router Vrrp operationSelecting the master Vrrp router Virtual Interface Router Failover methods Active-Active redundancy Parameter HP 10GbE switch extensions to VrrpTracking Vrrp router priority Assigning Vrrp virtual router ID Configuring the switch for trackingVirtual router deployment considerations High availability configurations Active-Active configurationTask 1 Configure Switch a Configure ports High availability Configure client and server interfaces Turn on Vrrp and configure two Virtual Interface RoutersTurn off Spanning Tree Protocol globally 179 Task 2 Configure Switch B Task 1 Configure Switch a BBI example Vrrp Virtual Router 1# Click Submit 183 184 Page High availability Enable Vrrp processing Click Submit Select Add Virtual Router 187 Click Submit High availability 189 Apply, verify, and save the configuration 190 Port Mirroring Troubleshooting toolsTroubleshooting tools Configuring Port Mirroring CLI example Enable Port MirroringView the current configuration Select the ports that you want to mirror Configuring Port Mirroring BBI example Click Add Mirrored Port Other network troubleshooting techniques Page 197 IndexIndex 198