IP Source Guard | Nortel Networks 5510, 5520, 5530 specification

Filters and QoS Configuration for ERS 5500
Technical Configuration Guide	v2.0	NN48500-559

•5500(config)#ip arp-inspection vlan 100

•5500(config)#ip arp-inspection vlan 200

•5500(config)#interface fastEthernet 1/24

•5500(config-if)#ip arp-inspection trusted

•5500(config-if)#exit

8.3IP Source Guard

IP source guard works together with the DHCP snooping binding table by providing security against invalid source IP addresses. If enabled, the source IP address is checked against the source IP address in the binding table on untrusted ports. If the incoming source IP address does not match the IP address in the binding table, the packet is dropped. Please note that manual (static) assignment of IP addresses is not allowed as DHCP snooping does not support static binding entries

8.3.1 IP Source Guard Configuration

Assuming DHCP snooping is already configured with untrusted port members 2-20, enter the following commands:

•5500(config)#interface fastEthernet 2-20

•5500(config-if)#ip verify source

•5500(config-if)#exit

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.
External Distribution	31

Image 32

Nortel Networks 5510, 5520, 5530 manual IP Source Guard Configuration

Contents

Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Figures List of Tables Document Updates SymbolsConventions Text Overview Ethernet Routing Switch 5500 QoS and Filtering Classification Untrusted PortsUnrestricted Ports ƒ Layer 2 Classifier Elements Actions Supported Statistics QoS Flow Chart Classifier Block Functionality Filter FunctionalityOverall Classification Functionality Port Range Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Default Policy Drop Action Policies NN48500-559 Queue Sets 5520-24T-PWRconfig#qos agent buffer large maximum regular5520-24T-PWRconfig#default qos agent buffer Ethernet Routing Switch 5500 Egress CoS Queuing Egress CoS Queuing CoS 5520-24T-PWRconfig#show qos queue-set-assignment 5520-24T-PWRconfig#qos agent queue set Egress Queue Recommendations 5520-24T-PWRconfig#default qos agent queue-set5520-24T-PWRconfig#qos agent reset-default Traffic Meter and Shaping Bucket Size Actual Bucket Size Policing TrafficActual Bucket Size in Bytes Actual size in bytes Interface Parameter Description Example Bucket Size Max burst rate Committed rate Duration MSec Interface ShaperMeter Bucket Size and Duration 5530-24TFDconfig#show qos if-shaper port Default Nortel Class of Service Default Nortel CoS MarkingsBinary Hex Decimal QoS Access Lists ACL ACL ConfigurationIP-ACL Configuration Config#qos ip-acl name 1..16 character string ? 2 L2-ACL Configuration ACL-Assign ConfigurationACL Configuration Example Config#qos l2-acl name 1..16 character string ? 5530H-24TFD#show qos ip-acl Verification5530H-24TFD#show qos acl-assign 5530H-24TFD#show qos policy 5500config#no qos acl-assign 5500config#no qos acl-assign 1 port 1/195500config#no qos ip-acl Changing ACL IP Security Features Dhcp Snooping ConfigurationDynamic ARP Inspection Configuration Dhcp Snooping IP Source Guard Configuration IP Source Guard Bpdu Filtering Configuration Bpdu Filtering QoS Applications Number of Classifiers Used Feature QoS Interface Applications Configuration Example ARP Spoofing Dhcp Attacks Dhcp Snooping 10.3 DoS Bpdu Blocking Configuration Steps Policy Configuration Role CombinationERS5500-48T#show qos if-assign ERS5500-48T#show qos if-group ERS5500-48Tconfig#qos ip-element 1-64000? ClassificationAdding IP and L2 Element IP Element Adding a Classifier Adding a Classifier Block Meters Parameters and variables Description Add a New Policy QoS Action Configuration ExamplesPre-defined Values Configuration Example 1 Traffic Meter Using Policies 12.2.1 ERS5500 Configuration Using PoliciesConfigure the Interface Role Combination Configure the IP elements ERS5500 Create the classifier block Configure MetersConfigure the Classifier Block Configure the Policy Verify OperationsERS5500 Create the policy Verify the Role Combination Verify Classifier and Classifier Block Configuration Name m1 ERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy 12.3.1 ERS5500 Configuration IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard ERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 ERS5500 Assign the IP-ACL’s to ports Verify DHCP-Snooping Verify ARP Inspection VID Verify ACL Configuration Verify IP Source Guard NN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign Configuration Example 3 Port Range Using ACL or Policy TCP Port Range ERS5500 Create IP elements for UDP port range Configuration Using PoliciesConfigure the Policies Configuration Using IP-ACL’s ERS5500 Remark all other traffic to Bronze 12.5.1 ERS5500 Configuration Using Policies Create Policy ERS5500 Assign the L2-ACL’s to ports 12.5.2 ERS5500 Configuration Using IP-ACL’sERS5500 Pass all other traffic with standard CoS Configuration Example 5 L2 and L3 Classification 12.6.1 ERS5500 Configuration Using Policies Configure Classifier and Classifier Blocks ERS5500 Add L2 elements for Vlan 110 12.7.1 ERS5500 Configuration Dscp Mapping via Un-restricted Port Role ACL Configuration Policy Configuration View the Queue Assignments ID ID Verify Shape Rate Configuration Configuration Example 7 Interface ShapingEnable Shaping on Port Software Baseline Reference Documentation Contact us