Manuals / Nortel Networks / Computer Equipment / Switch

Nortel Networks 42C4911 manual ACL Configuration Examples, Configure an Access Control List

Models: 42C4911

1 260

Download 260 pages 54.2 Kb

Page 132

Alteon OS Application Guide

ACL Configuration Examples

Example 1

Use this configuration to block traffic to a specific host. All traffic that ingresses on port EXT1 is denied if it is destined for the host at IP address 100.10.1.1

1.Configure an Access Control List.

>> Main# cfg/acl/acl 1

(Define ACL 1)

>>ACL 1# ipv4/dip 100.10.1.1

Enter destination IP address mask (default 255.255.255.255): >> Filtering IPv4# ..

>> ACL 1# action deny

2.	Add ACL 1 to port EXT1.

	>> Main# cfg/port	ext1/aclqos	(Select port EXT 1 to assign ACLs)
	>> Port EXT1 ACL#	/add acl 1	(Assign ACL 1 to the port)
3.	Apply and save the configuration.

	>> Port EXT1 ACL#	apply
	>> Port EXT1 ACL#	save

Example 2

Use this configuration to block traffic from a network destined for a specific host address. All traffic that ingresses in port EXT2 with source IP from the class 100.10.1.0/24 and destination IP 200.20.2.2 is denied.

1.Configure an Access Control List.

>> Main# cfg/acl/acl 2

(Define ACL 2)

>>ACL 2# ipv4/sip 100.10.1.0 255.255.255.0

>>Filtering IPv4# ipv4/dip 200.20.2.2 255.255.255.255

>>Filtering IPv4# ..

>>ACL 2# action deny

2.Add ACL 2 to port EXT2.

>>	Main# cfg/port	ext2/aclqos	(Select port EXT2 to assign ACLs)
>>	Port EXT2 ACL#	/add acl 2	(Assign ACL 2 to the port)

132 Chapter 7: Quality of Service

42C4911, January 2007

Image 132

Nortel Networks 42C4911 manual ACL Configuration Examples, Configure an Access Control List, Add ACL 1 to port EXT1

Contents

Application Guide Alteon OS Application Guide Contents Port-based Network Access Control Rapid Spanning Tree Protocol/Multiple Spanning Tree Protocol Part 2 IP Routing Border Gateway Protocol Part 3 High Availability Fundamentals Part 4 Appendices Alteon OS Application Guide Figures 3Two trunks, one Failover Trigger Tables Alteon OS Application Guide Preface Who Should Use This GuidePart 1 Basic Switching What You’ll Find in This GuidePart 3 High Availability Fundamentals Typographic Conventions AaBbCc123How to Get Help Alteon OS Application Guide 20 „ Preface Part 1 Basic Switching Alteon OS Application Guide Accessing the Switch Management module setup Factory-Default vs. MM assigned IP AddressesDefault Gateway Configuring management module for switch access1Switch management on the BladeCenter management module Alteon OS Application Guide External management port setup Configuring the external management interfaceEnable port EXT7 Using Telnet Connect to the Switch via SSHBootp Relay Agent Telnet switch IP address -m-mgt-e-ext7-d-dataConfiguring the Bootp Relay Agent # /cfg/l3/bootp# /cfg/l3/if interface number/relay ena Dhcp Relay Agent Configuration Dhcp Relay Agent32 „ Accessing the Switch Using the Browser-Based Interface Configuring BBI Access via HttpConfiguring BBI Access via Https Cfg/sys/access/https/generate † TACACS+ † Ldap † NTP† FDB Using Snmp SnmpCfg/sys/ssnmp/rcomm Cfg/sys/ssnmp/wcomm Cfg/sys/ssnmp/trsrcDefault configuration User ConfigurationView based Configurations CLI User equivalentConfiguring Snmp Trap Hosts Configure a user with no authentication and passwordSNMPv1 trap host Configure an entry in the notify table Sys/ssnmp/snmpv3/tparam x/unameSNMPv2 trap host configuration SNMPv3 trap host configuration42 „ Accessing the Switch Securing Access to the Switch Radius Authentication and Authorization How Radius Authentication WorksConfiguring Radius on the Switch Configure the Radius secret Main# /cfg/sys/radiusPrisrv SecsrvRadius Authentication Features in Alteon OS Switch User Accounts Radius Attributes for Alteon OS User PrivilegesTACACS+ Authentication How TACACS+ Authentication WorksTACACS+ Authentication Features in Alteon OS Authorization 4Default TACACS+ Authorization LevelsCommand Authorization and Logging AccountingCfg/sys/tacacs/chpassp Cfg/sys/tacacs/chpasssConfiguring TACACS+ Authentication on the Switch Configure the TACACS+ secret and second secretApply and save the configuration Main# /cfg/sys/tacacs+Ldap Authentication and Authorization Configuring the Ldap ServerConfiguring Ldap Authentication on the Switch Configure the domain nameMain# /cfg/sys/ldap Secure Shell and Secure Copy Configuring SSH/SCP features on the switch # /cfg/sys/sshd/on# /cfg/sys/sshd/off # /cfg/sys/sshd/disConfiguring the SCP Administrator Password Using SSH and SCP Client CommandsSsh 205.178.15.157 Login-name # scp scpadmin@205.178.15.157getcfg ad4.cfgTo apply and save the configuration # scp ad4.cfg scpadmin@205.178.15.157putcfgSSH and SCP Encryption of Management Messages Generating RSA Host and Server Keys for SSH Access Cfg/sys/sshd/hkeygenCfg/sys/sshd/skeygen SSH/SCP Integration with Radius Authentication SSH/SCP Integration with TACACS+ AuthenticationEnd User Access Control Considerations for Configuring End User AccountsStrong Passwords User Access Control Menu# /cfg/sys/access/user # /cfg/sys/access/user/uidName user1 Passwd# cur # /cfg/sys/access/user/cur Listing Current UsersLogging into an End User Account Alteon OS Application Guide 42C4911, January Alteon OS Application Guide 66 „ Accessing the Switch Port-based Network Access Control Extensible Authentication Protocol over LAN 802.1x Authentication Process Port UnauthorizedEAPoL Message Exchange 802.1x Port States „ Unauthorized„ Authorized „ Force UnauthorizedSupported Radius Attributes Support for Radius AttributesConfiguration Guidelines 42C4911, January VLANs Overview VLANs and Port Vlan ID Numbers Vlan NumbersPvid Numbers Viewing VLANsViewing and Configuring PVIDs Cfg/port INT7/pvidAlteon OS Application Guide Vlan Tagging 1Default Vlan settings 2Port-based Vlan assignment 4802.1Q tag assignment Vlan configuration rules Vlan Topologies and Design ConsiderationsExample 1 Multiple VLANs with Tagging Adapters Component Description86 „ VLANs Protocol-based VLANs Port-based vs. Protocol-based VLANs Pvlan Priority LevelsPvlan Tagging Pvlan Configuration Guidelines Configuring PvlanConfigure the priority value for the protocol Cfg/l2/vlanConfigure Vlan tagging for ports Enable the PvlanAdd member ports for this Pvlan Verify Pvlan operation Info/l2/vlanAlteon OS Application Guide 92 „ VLANs Ports and Trunking 1Port Trunk Group Built-In Fault Tolerance Before you configure static trunksStatistical Load Distribution Trunk group configuration rules Example below, three ports are trunked between two switches Port Trunking ExampleRepeat the process on the other switch Examine the trunking information on each switch Info/l2/trunkConfigurable Trunk Hash Algorithm Admin key Link Aggregation Control Protocol102 „ Ports and Trunking Configuring Lacp Alteon OS Application Guide 104 „ Ports and Trunking Spanning Tree Group 1Ports, Trunk Groups, and VLANs Bridge Protocol Data Units BPDUs Determining the Path for Forwarding BPDUsBridge Priority Port PrioritySpanning Tree Group configuration guidelines Port Path CostAdding a Vlan to a Spanning Tree Group Creating a VlanRules for Vlan Tagged ports Adding and removing ports from STGsDefault Spanning Tree configuration Multiple Spanning TreesWhy Do We Need Multiple Spanning Trees? Switch-Centric Spanning Tree GroupVlan Participation in Spanning Tree Groups 2Implementing Multiple Spanning Tree GroupsConfiguring Multiple Spanning Tree Groups Configure the following on application switch aConfigure the following on GbE Switch Module B # /cfg/l2/vlan2Configure the following on application switch C # /cfg/l2/vlan3Configuring Port Fast Forwarding Port Fast Forwarding# /cfg/port ext1 Fastfwd enaConfiguring Fast Uplink Convergence Fast Uplink Convergence# /cfg/l2/upfast ena # applyRapid Spanning Tree Protocol/Multiple Spanning Tree Protocol Rapid Spanning Tree Protocol Port State ChangesRstp Configuration Guidelines Port Type and Link TypeEdge Port Link TypeRstp Configuration Example Configure Rapid Spanning TreeSet the Spanning Tree mode to Rapid Spanning Tree Configure STP Group 1 parametersMultiple Spanning Tree Protocol Mstp RegionCommon Internal Spanning Tree Mstp Configuration Guidelines Mstp Configuration ExampleConfigure Multiple Spanning Tree Protocol Assign VLANs to Spanning Tree GroupsQuality of Service ACL Quality of Service „ Using ACL Filters Summary of packet classifiers2Well-Known Application Ports Summary of ACL Actions Understanding ACL PrecedenceUsing ACL Groups „ Access Control Lists„ Access Control Groups ACL Metering and Re-markingViewing ACL Statistics MeteringRe-Marking ACL Configuration Examples Configure an Access Control ListExample Add ACL 1 to port EXT1Add ACL 3 to port EXT1 ACL 3# ipv4/sip 100.10.1.0ACL 3# action deny Using Dscp Values to Provide QoS Differentiated Services ConceptsPer Hop Behavior Dscp Default QoS Service Levels QoS LevelsDscp Re-marking and Mapping Dscp Re-marking Configuration Example Enable Dscp re-marking on a portMain# cfg/qos/dscp/on Main# cfg/port EXT1Using 802.1p Priorities to Provide QoS 3Layer 2 802.1q/802.1p Vlan tagged packet802.1p Configuration Example Configure a port’s default 802.1p priorityQueuing and Scheduling Port EXT1# 8021ppriPart 2 IP Routing 142 42C4911, January Basic IP Routing IP Routing Benefits Routing Between IP Subnets 1The Router Legacy Network2Switch-Based Routing Topology Alteon OS Application Guide Example of Subnet Routing 1Subnet Routing Example IP Address Assignments# /cfg/l3/if # addr# ../if Using VLANs to Segregate Broadcast Domains Add the switch ports to their respective VLANsAdd each IP interface to the appropriate Vlan Vlan 3# /cfg/l3/ifVlan # /info/vlanDynamic Host Configuration Protocol Dhcp Relay Agent Dhcp Relay Agent Configuration # /cfg/l3/bootpRouting Information Protocol Distance Vector ProtocolStability Routing Updates RIPv1RIPv2 RIPv2 in RIPv1 compatibility mode RIP FeaturesTriggered updates PoisonRIP Configuration Example DefaultAuthentication MetricTurn on RIP globally and enable RIP for each interface Add VLANs for routing interfacesAdd IP interfaces to VLANs 42C4911, January Igmp Igmp Snooping Igmp Snooping Configuration Example Configure Igmp SnoopingAdd VLANs to Igmp Snooping and enable the feature View dynamic Igmp informationConfigure a Static Multicast Router Apply, verify, and save the configurationStatic Multicast Router Cfg/l3/igmp/mrouterConfiguration Guidelines Igmp RelayConfigure Igmp Relay Configure an IP interface and assign VLANsEnable Igmp Relay and add VLANs to the downstream network Configure the upstream MroutersMulticast Router Apply Additional Igmp Features Configuring the RangeFastLeave Igmp FilteringConfiguring the Action Configure Igmp FilteringEnable Igmp Filtering on the switch Define an Igmp filterAssign the Igmp filter to a port Filt enaBorder Gateway Protocol Internal Routing Versus External Routing 1iBGP and eBGPForming BGP Peer Routers What is a Route Map? # /cfg/l3/rmap2Distributing Network Filters in Access Lists and Route Maps Incoming and Outgoing Route MapsConfiguration Overview PrecedenceDefine network filter Optional Configure the attributes in the AS filter menu Set up the BGP attributesEnable the route map Assign the route map to a peer routerAggregating Routes Redistributing Routes BGP Attributes Local Preference AttributeMetric Multi-Exit Discriminator Attribute Selecting Route Paths in BGP BGP Failover Configuration 3BGP Failover Configuration ExampleEnable IP forwarding Define the VLANsDefine the IP interfaces Configure BGP peer router 1 On the switch, apply and save your configuration changesDefault Redistribution and Route Aggregation Example # /cfg/l3/bgpConfigure internal peer router 1 and external peer router Configure redistribution for PeerConfigure aggregation policy control Ospf Ospf Overview Types of Ospf AreasNssa Types of Ospf Routing Devices 2OSPF Domain and an Autonomous SystemNeighbors and Adjacencies Link-State DatabaseShortest Path First Tree Internal Versus External RoutingConfigurable Parameters Ospf Implementation in Alteon OSDefining Areas Assigning the Area IndexUsing the Area ID to Assign the Ospf Area Number Attaching an Area to a NetworkElecting the Designated Router and Backup Interface CostSummarizing Routes Default Routes # /cfg/l3/ospf/default metric value metric type 1 orVirtual Links # /cfg/l3/ospf/aindex area index/type transitAuthentication Router IDEnable Ospf authentication for Area 0 on switches 1, 2, # /cfg/l3/ospf/ifEnable Ospf authentication for Area 2 on switch Enable Ospf MD5 authentication for Area 0 on switches 1, 2,Configure MD5 key ID for Area 0 on switches 1, 2, Assign MD5 key ID to Ospf interfaces on switches 1, 2,Assign MD5 key ID to Ospf virtual link on switches 2 Host Routes for Load BalancingOspf Features Not Supported in This Release Ospf Configuration Examples Configure IP interfacesOptional Configure the router ID Enable Ospf # enableExample 1 Simple Ospf Domain # /cfg/l3/if # addrApply and save the configuration changes Define the backboneDefine the stub area Attach the network interface to the backboneConfiguring Ospf for a Virtual Link on Switch #1 Configure the router IDExample 2 Virtual Links IP # /cfg/l3/ospf/onConfigure the virtual link Define the transit areaAttach the network interface to the transit area Configuring Ospf for a Virtual Link on Switch #2 # ../aindexOther Virtual Link Options Define the stub areaExample 3 Summarizing Routes 7Summarizing Routes# /cfg/l3/if # addr # enaVerifying Ospf Configuration 36.128.192.036.128.200.0 Alteon OS Application Guide 214 „ Ospf Part 3 High Availability Fundamentals 216 42C4911, January High Availability Layer 2 Failover Vlan MonitorSetting the Failover Limit L2 Failover with Other FeaturesSpanning Tree Protocol L2 Failover Configurations InternetI t t2Two trunks, each in a different Failover Trigger 3Two trunks, one Failover Trigger Configuring Trunk Failover Configure Failover parameters# /cfg/failovr/on Vrrp Overview Vrrp ComponentsVirtual Router Virtual Router MAC AddressMaster and Backup Virtual Router Virtual Interface RouterVrrp Operation Selecting the Master Vrrp Router4A Non-VRRP, Hot-Standby Configuration Failover MethodsActive-Active Redundancy 5Active-Active RedundancyHot-Standby Redundancy Virtual Router GroupAlteon OS extensions to Vrrp Tracking Vrrp Router PriorityConfiguring the Switch for Tracking Virtual Router Deployment ConsiderationsAssigning Vrrp Virtual Router ID 232 „ High Availability High Availability Configurations Active-Active ConfigurationTask 1 Configure GbESM Configure client and server interfacesTurn on Vrrp and configure two Virtual Interface Routers Configure portsTurn off Spanning Tree Protocol globally Task 2 Configure GbESM Cfg/l3/vrrp/vr Hot-Standby Configuration 8Hot-Standby Configuration Configure Virtual Interface Routers Enable Vrrp Hot StandbyRouter Group# track/ports enaEnable tracking on ports 242 „ High Availability Part 4 Appendices 244 42C4911, January Troubleshooting Monitoring Ports Figure A-1Monitoring PortsPort Mirroring behavior Layer 2 Port Mirroring248 „ Appendix a Troubleshooting Layer 3 Port Mirroring Both Ports in Different GEAs /info/geaport command Configuring Port Mirroring Enable port mirroringSpecify the monitoring port Select the ports that you want to mirrorView the current configuration PortMirroring # curRadius Server Configuration Notes „ @alteon.dct Glossary TranslationVrid Virtual Router Index NumericsIcmp 188 Snmp