Juniper Networks EX2500 Understanding ACL Priority

Using ACL Filters 55

Chapter5: Quality of Service

Understanding ACL Priority

Each ACL has a unique priority value, based on its number. The lower the ACL

number, the higher the priority, so ACL 1 has the highest priority.

The priority value is used to decide which ACL rule to apply when a packet matches

one or more ACLs. When an incoming packet matches the highest priority ACL, the

ACL’s configured action takes place. The other assigned ACLs are considered in

numeric order, from lowest to highest.

In the following example, the switch considers ACL 128 before ACL 130 because

ACL 128 has a higher priority. The order in which the ACLs are assigned to a port

does not affect their priority.

Port 1 access group

ACL IP Extended 128:

TCP

Port number = 80

Action = permit

ACL IP Extended 129:

TCP

Port number = 23

Action = deny

ACL IP Extended 130:

TCP

Port number = less than 100

Action = permit

Table 13: Well-Known Application Ports

Number

TCP/UDP

Application Number

TCP/UDP

Application Number

TCP/UDP

Application

20

21

22

23

25

37

42

43

53

69

70

ftp-data

ftp

ssh

telnet

smtp

time

name

whois

domain

tftp

gopher

79

80

109

110

111

119

123

143

144

161

162

finger

http

pop2

pop3

sunrpc

nntp

ntp

imap

news

snmp

snmptrap

179

194

220

389

443

520

554

1645, 1812

1813

1985

bgp

irc

imap3

ldap

https

rip

rtsp

RADIUS

RADIUS accounting

hsrp

Contents

Main Configuration Guide Release 3.0 ii Table of Contents Part 1 EX2500 Ethernet Switch Applications Page Page Part 2 Appendixes Part 3 Indexes List of Figures Page List of Tables Page About This Guide Objectives Audience Supported Platforms xii Documentation Conventions Table 1: Notice Icons Icon Meaning Description Table 2: EX2500 Text and Syntax Conventions Convention Usage Examples List of Technical Publications Documentation Feedback Requesting Technical Support Self-Help Online Tools and Resources Opening a Case with JTAC Part 1 EX2500 Ethernet Switch Applications Page Chapter 1 Accessing the Switch Configuring the Management Interface Dynamic Host Configuration Protocol Using Telnet Using the EX2500 Web Device Manager Configuring EX2500 Web Device Manager Access via HTTP Configuring EX2500 Web Device Manager Access via HTTPS Using SNMP SNMPv1, SNMPv2 SNMPv3 Default Configuration User Configuration Configuring SNMP Trap Hosts SNMPv1 Trap Host Configuration SNMPv2 Trap Host Configuration SNMPv3 Trap Host Configuration Securing Access to the Switch RADIUS Authentication and Authorization How RADIUS Authentication Works Configuring RADIUS on the Switch RADIUS Authentication Features in the EX2500 Switch Switch User Accounts RADIUS Attributes for EX2500 User Privileges TACACS+ Authentication How TACACS+ Authentication Works TACACS+ Authentication Features in the EX2500 Switch Page Command Authorization and Logging Configuring TACACS+ Authentication on the Switch Secure Shell Configuring SSH Features on the Switch SSH Encryption of Management Messages Generating RSA Host and Server Keys for SSH Access SSH Integration with RADIUS and TACACS+ Authentication End User Access Control Considerations for Configuring End User Accounts User Access Control Listing Current Users Logging In to an End User Account Chapter 2 VLANs VLAN Overview VLANs and Port VLAN ID Numbers VLAN Numbers PVID Numbers VLAN Tagging Page Figure 2: Port-Based VLAN Assignment r o f B VLAN Topologies and Design Considerations VLAN Configuration Rules Multiple VLANs Configuration Example Page Private VLANs Private VLAN Ports Private VLAN Configuration Guidelines Private VLAN Configuration Example Chapter 3 Spanning Tree Protocol Spanning Tree Overview Bridge Protocol Data Units (BPDUs) Determining the Path for Forwarding BPDUs Bridge Priority Port Priority Port Path Cost Spanning Tree Group Configuration Guidelines Changing the Spanning Tree Mode Assigning a VLAN to a Spanning Tree Group Creating a VLAN Rules for VLAN Tagged Ports Adding and Removing Ports from STGs Rapid Spanning Tree Protocol Port State Changes Port Type and Link Type Edge Port Link Type RSTP Configuration Guidelines RSTP Configuration Example Per VLAN Rapid Spanning Tree Default Spanning Tree Configuration Why Do We Need Multiple Spanning Trees? PVRST Configuration Guidelines Configuring PVRST Multiple Spanning Tree Protocol MSTP Region Common Internal Spanning Tree MSTP Configuration Guidelines Multiple Spanning Tree Groups Configuration Example Fast Uplink Convergence Configuration Guidelines Configuring Fast Uplink Convergence Chapter 4 Ports and Trunking Trunking Overview Statistical Load Distribution Built-In Fault Tolerance Before Configuring Static Trunks Trunk Group Configuration Rules Port Trunking Configuration Example Page Configurable Trunk Hash Algorithm Link Aggregation Control Protocol Page LACP Configuration Guidelines Configuring LACP Optionally Reducing LACP Timeout Page Chapter 5 Quality of Service QoS Overview Using ACL Filters Ports ACL Filter Permit/Deny Classify Packets Perform Actions MAC Extended ACLs IP Standard ACLs IP Extended ACLs Understanding ACL Priority Port 1 access group ACL IP Extended 128: Port number = 80 Action = permit ACL IP Extended 129: Port number = 23 Action = deny ACL IP Extended 130: Port number = less than 100 Action = permit Assigning ACLs to a Port Viewing ACL Statistics ACL Configuration Examples ACL Example 1Blocking Traffic to a Host ACL Example 2Blocking Traffic from a Source to a Destination ACL Example 3Blocking HTTP Traffic ACL Example 4Blocking All Except Certain Packets Using Storm Control Filters Broadcast Storms Configuring Storm Control Using DSCP Values to Provide QoS Differentiated Services Concepts 7 6 5 4 3 2 1 0 Per Hop Behavior EX2500 Ethernet Switch Configuration Guide 62 QoS Levels ex2500# qos dscp transmit-queue <DSCP value (0-63)> <COSq (0-7)> DSCP Mapping Use the following command to turn on DSCP re-marking globally: ex2500# qos dscp enable Using 802.1p Priority to Provide QoS 7 6 5 4 3 2 1 0 7 6 5 4 3 2 1 0 Queuing and Scheduling Chapter 6 Remote Monitoring RMON Overview RMON Group 1Statistics RMON Group 2History History MIB Object ID Configuring RMON History RMON Group 3Alarms Alarm MIB Objects Configuring RMON Alarms RMON Group 9Events Page Chapter 7 IGMP IGMP Snooping FastLeave IGMPv3 Snooping IGMP Snooping Configuration Example Static Multicast Router Chapter 8 High Availability Through Uplink Failure Detection High Availability Overview Failure Detection Pair Spanning Tree Protocol with UFD UFD Configuration Guidelines UFD Configuration Example Monitoring UFD Page Page Page Appendix A Monitoring Ports with Port Mirroring Port Mirroring Overview Configuring Port Mirroring Page Page Index Numerics A B C H I J L M Q R S T U V W