QoS Interface Applications | Nortel Networks 5530, 5520, 5510

Filters and QoS Configuration for ERS 5500
Technical Configuration Guide	v2.0	NN48500-559

10. QoS Interface Applications

In the 4.2 software release or higher, several new QoS applications designed to enhance security have been added to the switch. These QoS security applications target several of the most common denial of service (DoS) launched against networks today. The following items have been added:

•ARP Spoofing

•DHCP Snooping

•DHCP Spoofing

•SQLSlam

•Nachia

•Xmas

•TCP SynFinScan

•TCP FtpPort

•TCP DnsPort

•BPDU Blocker

When using any of the QoS applications listed above, a number of classifiers are required per QoS applications. Please refer to table 10 shown below.

Table 10: QoS Applications – Number of Classifiers Used

Feature	Number of Classifiers
ARP Spoofing	5
DHCP Snooping	1
DHCP Spoofing	2
DoS SQLSlam	1
DoS Nachia	1
DoS Xmas	1
DoS TCP SynFinScan	1
DoS TCP FTPPort	2
DoS TCP DNS Port	2
BPDUBlock	1

For more details on Layer 2 security, please refer to the Technical Configuration guide titled ‘Layer Security Solutions for ES and ERS Switches’ for more details in regards to security and adding security filters for the Ethernet Routing Switch prior to release 4.2. This document can be found by going to www.nortel.com/support and can be found under any Ethernet Switch or Ethernet Routing Switch folder.

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.
External Distribution	33

Image 34

Nortel Networks 5530, 5520, 5510 manual QoS Interface Applications, QoS Applications Number of Classifiers Used Feature

Contents

Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Figures List of Tables Conventions Document UpdatesSymbols Text Overview Ethernet Routing Switch 5500 QoS and Filtering Unrestricted Ports ClassificationUntrusted Ports ƒ Layer 2 Classifier Elements Actions Supported Statistics QoS Flow Chart Overall Classification Functionality Filter FunctionalityClassifier Block Functionality Port Range Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Default Policy Drop Action Policies NN48500-559 5520-24T-PWRconfig#default qos agent buffer 5520-24T-PWRconfig#qos agent buffer large maximum regularQueue Sets Ethernet Routing Switch 5500 Egress CoS Queuing Egress CoS Queuing CoS 5520-24T-PWRconfig#show qos queue-set-assignment 5520-24T-PWRconfig#qos agent queue set 5520-24T-PWRconfig#qos agent reset-default 5520-24T-PWRconfig#default qos agent queue-setEgress Queue Recommendations Traffic Meter and Shaping Bucket Size Actual Bucket Size in Bytes Actual size in bytes Interface Actual Bucket SizePolicing Traffic Parameter Description Example Meter Bucket Size and Duration Interface ShaperBucket Size Max burst rate Committed rate Duration MSec 5530-24TFDconfig#show qos if-shaper port Binary Default Nortel Class of ServiceDefault Nortel CoS Markings Hex Decimal IP-ACL Configuration QoS Access Lists ACLACL Configuration Config#qos ip-acl name 1..16 character string ? ACL Configuration Example 2 L2-ACL ConfigurationACL-Assign Configuration Config#qos l2-acl name 1..16 character string ? 5530H-24TFD#show qos acl-assign Verification5530H-24TFD#show qos ip-acl 5530H-24TFD#show qos policy 5500config#no qos ip-acl 5500config#no qos acl-assign5500config#no qos acl-assign 1 port 1/19 Changing ACL Dynamic ARP Inspection Configuration IP Security FeaturesDhcp Snooping Configuration Dhcp Snooping IP Source Guard Configuration IP Source Guard Bpdu Filtering Configuration Bpdu Filtering QoS Applications Number of Classifiers Used Feature QoS Interface Applications Configuration Example ARP Spoofing Dhcp Attacks Dhcp Snooping 10.3 DoS Bpdu Blocking ERS5500-48T#show qos if-assign Configuration Steps Policy ConfigurationRole Combination ERS5500-48T#show qos if-group Adding IP and L2 Element ERS5500-48Tconfig#qos ip-element 1-64000?Classification IP Element Adding a Classifier Adding a Classifier Block Meters Parameters and variables Description Add a New Policy Pre-defined Values Configuration ExamplesQoS Action Configure the Interface Role Combination Configuration Example 1 Traffic Meter Using Policies12.2.1 ERS5500 Configuration Using Policies Configure the IP elements Configure the Classifier Block Configure MetersERS5500 Create the classifier block ERS5500 Create the policy Configure the PolicyVerify Operations Verify the Role Combination Verify Classifier and Classifier Block Configuration Name m1 ERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy 12.3.1 ERS5500 Configuration IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard ERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 ERS5500 Assign the IP-ACL’s to ports Verify DHCP-Snooping Verify ARP Inspection VID Verify ACL Configuration Verify IP Source Guard NN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign Configuration Example 3 Port Range Using ACL or Policy TCP Port Range Configure the Policies Configuration Using PoliciesERS5500 Create IP elements for UDP port range Configuration Using IP-ACL’s ERS5500 Remark all other traffic to Bronze 12.5.1 ERS5500 Configuration Using Policies Create Policy ERS5500 Pass all other traffic with standard CoS 12.5.2 ERS5500 Configuration Using IP-ACL’sERS5500 Assign the L2-ACL’s to ports Configuration Example 5 L2 and L3 Classification 12.6.1 ERS5500 Configuration Using Policies Configure Classifier and Classifier Blocks ERS5500 Add L2 elements for Vlan 110 12.7.1 ERS5500 Configuration Dscp Mapping via Un-restricted Port Role ACL Configuration Policy Configuration View the Queue Assignments ID ID Enable Shaping on Port Configuration Example 7 Interface ShapingVerify Shape Rate Configuration Software Baseline Reference Documentation Contact us