12.3.1 ERS5500 Configuration | Nortel Networks 5520, 5530, 5510

Filters and QoS Configuration for ERS 5500
Technical Configuration Guide	v2.0	NN48500-559

12.3Configuration Example – IP ACL, DHCP Snooping, ARP Inspection, BPDU Filtering, and Source Guard

Figure 4: IP ACL, DHCP Snooping, ARP Inspection, and Source Guard

Overall, we wish to accomplish the following in regards to VLAN 110:

•Only allow ICMP and DHCP traffic to the DHCP server (172.30.30.50) and deny all other traffic to the 172.x.x.x network

•For the 10.x.x.x network, only allow access to the local network (10.62.32.0/24) and to the 10.10.30/0/24 network for full access to the internet

•Enable DHCP Snooping, ARP-Inspection, and

In regards to VLAN 220, we wish to accomplish the following:

•Allow full access to the core network 172.0.0.0/8 and 10.0.0.0/8

•Only allow only ICMP, HTTP and HTTPS traffic to the internet

12.3.1 ERS5500 Configuration

12.3.1.1Create VLAN’s and Add Port Members ERS5500: Step 1 – Add VLANs 110, 220, and 700

5500(config)#vlan create 700 name core type port 5500(config)#vlan create 110 type port 5500(config)#vlan create 220 type port 5500(config)#vlan members remove 1 3-6,8-10,23 5500(config)#vlan ports 23 tagging tagall 5500(config)#vlan members 110 3-6 5500(config)#vlan members 220 8-10 5500(config)#vlan members 700 23

12.3.1.2 Add IP Address and Enable OSPF

ERS5500: Step 1 – Add IP address to VLAN 110 and enable OSPF with interface type of passive

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.
External Distribution	50

Image 51

Nortel Networks 5520, 5530, 5510 manual 12.3.1 ERS5500 Configuration, IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard

Contents

Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Tables List of Figures Text Document UpdatesSymbols Conventions Overview Ethernet Routing Switch 5500 QoS and Filtering ƒ Layer 2 Classifier Elements ClassificationUntrusted Ports Unrestricted Ports Statistics Actions Supported QoS Flow Chart Filter Functionality Overall Classification FunctionalityClassifier Block Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Port Range Functionality Policies Default Policy Drop Action NN48500-559 5520-24T-PWRconfig#qos agent buffer large maximum regular 5520-24T-PWRconfig#default qos agent bufferQueue Sets Egress CoS Queuing Ethernet Routing Switch 5500 Egress CoS Queuing CoS 5520-24T-PWRconfig#qos agent queue set 5520-24T-PWRconfig#show qos queue-set-assignment 5520-24T-PWRconfig#default qos agent queue-set 5520-24T-PWRconfig#qos agent reset-defaultEgress Queue Recommendations Bucket Size Traffic Meter and Shaping Parameter Description Actual Bucket SizePolicing Traffic Actual Bucket Size in Bytes Actual size in bytes Interface Example Interface Shaper Meter Bucket Size and DurationBucket Size Max burst rate Committed rate Duration MSec 5530-24TFDconfig#show qos if-shaper port Hex Decimal Default Nortel Class of ServiceDefault Nortel CoS Markings Binary Config#qos ip-acl name 1..16 character string ? QoS Access Lists ACLACL Configuration IP-ACL Configuration Config#qos l2-acl name 1..16 character string ? 2 L2-ACL ConfigurationACL-Assign Configuration ACL Configuration Example Verification 5530H-24TFD#show qos acl-assign5530H-24TFD#show qos ip-acl 5530H-24TFD#show qos policy Changing ACL 5500config#no qos acl-assign5500config#no qos acl-assign 1 port 1/19 5500config#no qos ip-acl Dhcp Snooping IP Security FeaturesDhcp Snooping Configuration Dynamic ARP Inspection Configuration IP Source Guard IP Source Guard Configuration Bpdu Filtering Bpdu Filtering Configuration QoS Interface Applications QoS Applications Number of Classifiers Used Feature ARP Spoofing Configuration Example Dhcp Snooping Dhcp Attacks 10.3 DoS Bpdu Blocking ERS5500-48T#show qos if-group Configuration Steps Policy ConfigurationRole Combination ERS5500-48T#show qos if-assign IP Element ERS5500-48Tconfig#qos ip-element 1-64000?Classification Adding IP and L2 Element Adding a Classifier Block Adding a Classifier Parameters and variables Description Meters Add a New Policy Configuration Examples Pre-defined ValuesQoS Action Configure the IP elements Configuration Example 1 Traffic Meter Using Policies12.2.1 ERS5500 Configuration Using Policies Configure the Interface Role Combination Configure Meters Configure the Classifier BlockERS5500 Create the classifier block Verify the Role Combination Configure the PolicyVerify Operations ERS5500 Create the policy Name m1 Verify Classifier and Classifier Block Configuration ERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard 12.3.1 ERS5500 Configuration ERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 Verify DHCP-Snooping ERS5500 Assign the IP-ACL’s to ports VID Verify ARP Inspection Verify IP Source Guard Verify ACL Configuration NN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign TCP Port Range Configuration Example 3 Port Range Using ACL or Policy Configuration Using Policies Configure the PoliciesERS5500 Create IP elements for UDP port range ERS5500 Remark all other traffic to Bronze Configuration Using IP-ACL’s Create Policy 12.5.1 ERS5500 Configuration Using Policies 12.5.2 ERS5500 Configuration Using IP-ACL’s ERS5500 Pass all other traffic with standard CoSERS5500 Assign the L2-ACL’s to ports 12.6.1 ERS5500 Configuration Using Policies Configuration Example 5 L2 and L3 Classification ERS5500 Add L2 elements for Vlan 110 Configure Classifier and Classifier Blocks Dscp Mapping via Un-restricted Port Role 12.7.1 ERS5500 Configuration Policy Configuration ACL Configuration ID ID View the Queue Assignments Configuration Example 7 Interface Shaping Enable Shaping on PortVerify Shape Rate Configuration Reference Documentation Software Baseline Contact us