Nortel Networks 5510, 5520, 5530 8.3 IP Source Guard

Filters and QoS Configuration for ERS 5500

Technical Configuration Guide v2.0 NN48500-559

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.

External Distribution

31

• 5500(config)#ip arp-inspection vlan 100

• 5500(config)#ip arp-inspection vlan 200

• 5500(config)#interface fastEthernet 1/24

• 5500(config-if)#ip arp-inspection trusted

• 5500(config-if)#exit

8.3 IP Source Guard

IP source guard works together with the DHCP snooping binding table by provi ding security

against invalid source IP addresses. If enabled, the source IP address is c hecked against the

source IP address in the binding table on untrusted ports. If the incoming s ource IP address does

not match the IP address in the binding table, the packet is dropped. Pl ease note that manual

(static) assignment of IP addresses is not allowed as DHCP snooping does not support static

binding entries

8.3.1 IP Source Guard Configuration

Assuming DHCP snooping is already configured with untrusted port members 2-20, enter the

following commands:

• 5500(config)#interface fastEthernet 2-20

• 5500(config-if)#ip verify source

• 5500(config-if)#exit

Contents

Main Page Abstract Table of Contents List of Figures List of Tables Document Updates Conventions Symbols: Text: 1. Overview: Ethernet Routing Switch 5500 QoS and Filtering Classification Actions Supported Statistics 2. QoS Flow Chart or 3. Filter Functionality 3.1 Overall Classification Functionality 3.2 Classifier Block Functionality 3.3 Port Range Functionality 3.4 Policies Page 4. Queue Sets 8 CoS 7 CoS 6 CoS 5 CoS 4 CoS 3 CoS 2 CoS 1 CoS Page 5. Traffic Meter and Shaping 5.1 Actual Bucket Size 5.2 Policing Traffic Page 5.3 Interface Shaper 6. Default Nortel Class of Service 7. QoS Access Lists (ACL) 7.1 ACL Configuration 7.1.1 IP-ACL Configuration 7.1.2 L2-ACL Configuration 7.1.3 ACL-Assign Configuration 7.1.4 ACL Configuration Example The DSCP value are entered in decimal; please refer to section 6 for details The following table displays the various protocol numbers: Protocol Number Protocol 1 ICMP 2 IGMP 6 TCP 17 UDP 46 RSVP 5530H-24TFD#show qos ip-acl 5530H-24TFD#show qos policy Page 8. IP Security Features 8.1 DHCP Snooping 8.1.1 DHCP Snooping Configuration 8.2 Dynamic ARP Inspection 8.2.1 Dynamic ARP Inspection Configuration 8.3 IP Source Guard 8.3.1 IP Source Guard Configuration 9. BPDU Filtering 9.1 BPDU Filtering Configuration 10. QoS Interface Applications 10.1 ARP Spoofing 10.2 DHCP Attacks 10.3 DoS 10.4 BPDU Blocking 11. Configuration Steps Policy Configuration 11.1 Role Combination 11.2 Classification o One IP and one L2 classifier element ERS5500-48T(config)#qos classifier-block 2 block-number 1 name block_1 se t-id 4 11.3 Meters 11.4 Add a New Policy 12. Configuration Examples 12.1 Pre-defined Values 12.2 Configuration Example 1 Traffic Meter Using Policies 12.2.1 ERS5500 Configuration Using Policies Page 12.2.2 Verify Operations 12.2.3 Verify Classifier and Classifier Block Configuration Step 1 Verify that the 3 Classifiers ERS5500-24T# show qos classifier Result: Step 3 Verify that the Meter Configuration Step 3 Verify that the Classifier Block with the correct classifier and m eter number ERS5500-24T#show qos classifier-block Result: 12.2.3.1 Verify Policy Configuration Step 1 Verify that the QoS Policy ERS5500-24T#show qos policy Result: 12.3.1 ERS5500 Configuration Page Page 12.3.2 Verify Operations Page ERS5500-24T# show ip source binding Result: ERS5500-24T#show qos ip-acl Result: Page Page Step 2 To view the IP ACL assignment, enter the following comm and: ERS5500-24T#show qos acl-assign Result: 12.4 Configuration Example 3: Port Range Using ACL or Policy 12.4.1 Configuration Using Policies 12.4.2 Configuration Using IP-ACLs 12.5 Configuration Example 4 L2 Classification Based on MAC Address 12.5.1 ERS5500 Configuration Using Policies 12.5.2 ERS5500 Configuration Using IP-ACLs 12.6 Configuration Example 5 L2 and L3 Classification 12.6.1 ERS5500 Configuration Using Policies Page 12.7.1 ERS5500 Configuration 12.7.2 ACL Configuration 12.7.3 Policy Configuration 12.7.4 Verify Operations 12.8 Configuration Example 7 Interface Shaping 12.8.2 Verify Operations 13. Software Baseline 14. Reference Documentation