Verify IP Source Guard | Nortel Networks 5510, 5520, 5530 instruction

Filters and QoS Configuration for ERS 5500
Technical Configuration Guide	v2.0	NN48500-559

12.3.2.3 Verify IP Source Guard

Step 1 – To view the IP Source Guard binding, enter the following command, assuming we have port member on ports 6 and 9

ERS5500-24T#show ip source binding

Result:

Port Address

---- ---------------

610.62.32.10

910.13.196.10

&An IP source Guard or ARP Inspection event will be logged (local and remote if enabled) indicated by the message, i.e. from port 6: “ARP packet with invalid IP/MAC binding on un-trusted port 1/6”.

12.3.2.4 Verify ACL Configuration

Step 1 – To view the IP ACL configuration, enter the following command:

ERS5500-24T#show qos ip-acl

Result:

Id: 1

Name: one

Block:

Address Type: IPv4

Destination Addr/Mask: 172.30.30.50/32

Source Addr/Mask: Ignore

DSCP: Ignore

IPv4 Protocol / IPv6 Next Header: ICMP

Destination L4 Port Min: Ignore

Destination L4 Port Max: Ignore

Source L4 Port Min: Ignore

Source L4 Port Max: Ignore

IPv6 Flow Id: Ignore

Action Drop: No

Action Update DSCP: Ignore

Action Update 802.1p Priority: Ignore

Action Set Drop Precedence: Low Drop

Type: Access List

Storage Type: NonVolatile

Id: 2

Name: one

Block:

Address Type: IPv4

Destination Addr/Mask: 172.30.30.50/32

Source Addr/Mask: Ignore

DSCP: Ignore

IPv4 Protocol / IPv6 Next Header: UDP

Destination L4 Port Min: 67

Destination L4 Port Max: 67

Source L4 Port Min: Ignore

Source L4 Port Max: Ignore

IPv6 Flow Id: Ignore

Action Drop: No

Action Update DSCP: Ignore

Action Update 802.1p Priority: Ignore

Action Set Drop Precedence: Low Drop

Type: Access List

Storage Type: NonVolatile

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.
External Distribution	55

Image 56

Nortel Networks 5510, 5520, 5530 manual Verify IP Source Guard, Verify ACL Configuration

Contents

Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Figures List of Tables Document Updates SymbolsConventions Text Overview Ethernet Routing Switch 5500 QoS and Filtering Classification Untrusted PortsUnrestricted Ports ƒ Layer 2 Classifier Elements Actions Supported Statistics QoS Flow Chart Classifier Block Functionality Filter FunctionalityOverall Classification Functionality Port Range Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Default Policy Drop Action Policies NN48500-559 Queue Sets 5520-24T-PWRconfig#qos agent buffer large maximum regular5520-24T-PWRconfig#default qos agent buffer Ethernet Routing Switch 5500 Egress CoS Queuing Egress CoS Queuing CoS 5520-24T-PWRconfig#show qos queue-set-assignment 5520-24T-PWRconfig#qos agent queue set Egress Queue Recommendations 5520-24T-PWRconfig#default qos agent queue-set5520-24T-PWRconfig#qos agent reset-default Traffic Meter and Shaping Bucket Size Actual Bucket Size Policing TrafficActual Bucket Size in Bytes Actual size in bytes Interface Parameter Description Example Bucket Size Max burst rate Committed rate Duration MSec Interface ShaperMeter Bucket Size and Duration 5530-24TFDconfig#show qos if-shaper port Default Nortel Class of Service Default Nortel CoS MarkingsBinary Hex Decimal QoS Access Lists ACL ACL ConfigurationIP-ACL Configuration Config#qos ip-acl name 1..16 character string ? 2 L2-ACL Configuration ACL-Assign ConfigurationACL Configuration Example Config#qos l2-acl name 1..16 character string ? 5530H-24TFD#show qos ip-acl Verification5530H-24TFD#show qos acl-assign 5530H-24TFD#show qos policy 5500config#no qos acl-assign 5500config#no qos acl-assign 1 port 1/195500config#no qos ip-acl Changing ACL IP Security Features Dhcp Snooping ConfigurationDynamic ARP Inspection Configuration Dhcp Snooping IP Source Guard Configuration IP Source Guard Bpdu Filtering Configuration Bpdu Filtering QoS Applications Number of Classifiers Used Feature QoS Interface Applications Configuration Example ARP Spoofing Dhcp Attacks Dhcp Snooping 10.3 DoS Bpdu Blocking Configuration Steps Policy Configuration Role CombinationERS5500-48T#show qos if-assign ERS5500-48T#show qos if-group ERS5500-48Tconfig#qos ip-element 1-64000? ClassificationAdding IP and L2 Element IP Element Adding a Classifier Adding a Classifier Block Meters Parameters and variables Description Add a New Policy QoS Action Configuration ExamplesPre-defined Values Configuration Example 1 Traffic Meter Using Policies 12.2.1 ERS5500 Configuration Using PoliciesConfigure the Interface Role Combination Configure the IP elements ERS5500 Create the classifier block Configure MetersConfigure the Classifier Block Configure the Policy Verify OperationsERS5500 Create the policy Verify the Role Combination Verify Classifier and Classifier Block Configuration Name m1 ERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy 12.3.1 ERS5500 Configuration IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard ERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 ERS5500 Assign the IP-ACL’s to ports Verify DHCP-Snooping Verify ARP Inspection VID Verify ACL Configuration Verify IP Source Guard NN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign Configuration Example 3 Port Range Using ACL or Policy TCP Port Range ERS5500 Create IP elements for UDP port range Configuration Using PoliciesConfigure the Policies Configuration Using IP-ACL’s ERS5500 Remark all other traffic to Bronze 12.5.1 ERS5500 Configuration Using Policies Create Policy ERS5500 Assign the L2-ACL’s to ports 12.5.2 ERS5500 Configuration Using IP-ACL’sERS5500 Pass all other traffic with standard CoS Configuration Example 5 L2 and L3 Classification 12.6.1 ERS5500 Configuration Using Policies Configure Classifier and Classifier Blocks ERS5500 Add L2 elements for Vlan 110 12.7.1 ERS5500 Configuration Dscp Mapping via Un-restricted Port Role ACL Configuration Policy Configuration View the Queue Assignments ID ID Verify Shape Rate Configuration Configuration Example 7 Interface ShapingEnable Shaping on Port Software Baseline Reference Documentation Contact us