Avaya ERS 5510 Technical Configuration Manual Download Page 38 | Manualshive

Page: 38 / 73

background image

Filt

Filters and QOS Configuration for Ethernet Routing Switch 5500

Technical Configuration Guide

38

January 2013

avaya.com

5530-24TFD(config)#

interface fastEthernet all

5530-24TFD(config-if)#

qos dhcp spoofing port 2-10 dhcp-server 172.30.30.50

10.3 DoS

The following command is used to enable the various DoS QoS Applications

5530-24TFD(config)#

interface fastEthernet all

5530-24TFD(config-if)#

qos dos <nachi a|sql slam |tcp-dnsport|tcp -ftpport|tcp-

synfinscan|xmas> port <port #> enable

SQLSlam

The worm targeting SQL Server computers is a self-propagating, malicious code that exploits a
vulnerability that allows  for the execution of arbitrary code on the  SQL Server computer due to a stack
buffer overflow. Once the worm compromises a machine it will try to propagate itself by crafting packets of
376 bytes and send them to randomly chosen IP addresses on UDP port 1434. If the packet is sent to a
vulnerable machine, this victim machine will become infected and will also begin to propagate. Beyond
the scanning activity for  new hosts, the current  variant of this worm has no  Configuring Quality of Service
and  IP Filtering for A vaya Ethernet Routing Switch 5500 Series, Software Release 4.2  other payload.
Activity of this worm is readily identifiable on a network by the presence  of 376 byte UDP packets. These
packets will appear to be originating from seemingly random  IP addresses and destined for UDP port
1434.

When enabled, the DoS SQLSlam QoS Application will drop UDP traffic whose destination port is 1434
with the byte pattern of 0x040101010101 starting at byte 47 of a tagged packet.

Nachia

The W32/Nachi  variants W32/Nachi -A and W32/Nac hi-B are worms that spread using the RP C DCOM
vulnerability in a similar fashion to the W32/Blaster-A  worm. Both rely upon two  vulnerabilities in
Microsoft 's software.

When enabled, the DoS Nachia QoS Application will drop ICMP traffic with the byte pattern of 0xaaaaaa)
starting at byte 48 of a tagged packet.

Xmas

Xmas is a DoS attack that sends  TCP packets with all TCP flags set in the same packet; which is illegal.
When enabled, the DoS  Xmas QoS Application will drop  TCP traffic with the URG:PSH  TCP flags
set.TCP

SynFinScan

TCP SynFinScan is a DoS attack that sends both a TCP SYN and FIN in the same packet; which is illegal.
When enabled, the TCP SynFinScan QoS Application will drop TCP traffic with the SY N:FIN TCP flags
set.

TCP FtpPort

A TCP FtpP ort attack is identified  by TCP packets with a source port of 20 and a destination port less
than 1024; which is illegal. A legal FTP request would have  been initiated with a  TCP port greater than
1024. When enabled, the  TCP FtpPort QoS Application  will drop  TCP traffic with the  TCP SYN fl ag set
and a source port of 20  with a destination port less than or equal to 1024.

TCP DnsPort

«
...
36
37
38
39
40
...
»

Summary of Contents for ERS 5510

Page 1: ...510 5520 5530 Engineering Filters and QOS Configuration for Ethernet Routing Switch 5500 Technical Configuration Guide Enterprise Solutions Engineering Document Date January 2013 Document Number NN48500 559 Document Version 2 2 ...

Page 2: ...ENSE BY INSTALLING DOWNLOADING OR USING THE SOFTWARE OR AUTHORIZING OTHERS TO DO SO YOU ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING DOWNLOADING OR USING THE SOFTWARE HEREINAFTER REFERRED TO INTERCHANGEABLY AS YOU AND END USER AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC OR THE APPLICABLE AVAYA AFFILIATE AVAYA Copyright Except wher...

Page 3: ...ation Guide 3 January 2013 avaya com Abstract This technical configuration guide provides an overview on how to configure QoS and Filters on the Ethernet Routing Switch 5500 with software release 5 1 The configuration examples are all in reference to the Avaya Command Line Interface ACLI ...

Page 4: ...rface Shaper 24 6 Default Avaya Class of Service 26 7 QoS Access Lists ACL 27 7 1 ACL Configuration 27 8 IP Security Features 32 8 1 DHCP Snooping 32 8 2 Dynamic ARP Inspection 33 8 3 IP Source Guard 33 9 BPDU Filtering 34 9 1 BPDU Filtering Configuration 34 10 QoS Interface Applications 35 10 1 ARP Spoofing 36 10 2 DHCP Attacks 37 10 3 DoS 38 10 4 BPDU Blocking 39 11 Configuration Steps Policy Co...

Page 5: ...from a distributor or reseller 73 15 4 Getting technical support from the Avaya Web site 73 List of Figures Figure 1 QoS System Diagram 7 Figure 2 QoS Flow Chart 10 Figure 3 Arp Spoofing Example 36 Figure 4 IP ACL DHCP Snooping ARP Inspection and Source Guard 52 Figure 5 L2 Classification Based on MAC Address Example 64 Figure 6 DSCP Mapping via Un restricted Port Role 68 List of Tables Table 1 De...

Page 6: ...important information to the reader Warning Highlights important information about an action that may result in equipment damage configuration or data loss Text Bold text indicates emphasis Italic text in a Courier New font indicates text the user must enter or select in a menu item button or command ERS5520 48T show running config Output examples from Avaya devices are displayed in a Lucinda Cons...

Page 7: ...ffic to appropriate egress queue Figure 1 QoS System Diagram Role Combination A role combination is a grouping of one or more ports capabilities and interface classifications against which a policy is applied The capabilities presently supported on the Ethernet Routing Switch 5500 include ingress IP and Layer 2 classification The Ethernet Routing Switch 5500 supports the following interface classe...

Page 8: ...tricted Ports o Does not assume anything about the origin of the incoming traffic You may assign an action to set the DSCP or not to set the DSCP it s up to you This allows you to manipulate the DSCP value based upon the filter criteria and not upon the point of origin The following table displays a summary of the role combination capabilities Table 1 Default QoS Action Type of Filter Action Trust...

Page 9: ...file actions metered traffic within specific bandwidth limits o Drop o Update DSCP o Update 802 1p o Drop precedence choice of low drop high drop or use egress map Out of profile actions metered traffic exceeding bandwidth limits o Drop o Update DSCP o Set drop precedence Non Match actions non metered traffic o Drop o Update DSCP o Update 802 1p o Drop precedence choice of low drop or high drop Me...

Page 10: ...ock to a Policy on a per port basis The Ethernet Routing Switch 5500 supports up to 114 Classifiers per port for a total of greater than 40K Classifiers in a fully configured stack Figure 2 QoS Flow Chart Role Combination Application QoS Devices Interface Configuration Role Combination Interface Classes o Trusted Ports o Untrusted Ports o Unrestricted Classification Application QoS Rules Classifie...

Page 11: ...ined could consume all counting resources for a single interface with one policy To avoid exhausting the number of counters available per interface one may select aggregate classifier tracking instead of individual classifier tracking when creating the policy By specifying aggregate classifier tracking a single counter resource is used to track statistics for all the classifiers of that policy rat...

Page 12: ...mited to a certain extent however because ranges are represented as a bitmask within the overall classification mask and not with explicit minimum and maximum values A range must thus be specified by indicating which bits in the given field e g Layer 4 source port are ignored i e set to 0 Taking into account this limitation the following rules are used to determine valid range values I Minimum val...

Page 13: ... Example We have the following IP elements qos ip element 1 addr type ipv4 src ip 10 10 10 0 24 dst ip 10 10 20 0 24 protocol 17 dst port min 3000 dst port max 3007 qos ip element 2 addr type ipv4 src ip 10 10 10 0 24 dst ip 10 10 20 0 24 protocol 17 dst port min 3008 dst port max 3071 qos ip element 3 addr type ipv4 src ip 10 10 10 0 24 dst ip 10 10 20 0 24 protocol 17 dst port min 3072 dst port ...

Page 14: ... with the higher precedence will be used Referenced component conflicts action or meter criteria can be specified through individual classifier blocks When a policy references a classifier block and members of the referenced block identify their own action or meter criteria action and meter data must not be specified by the policy The actions applied to packets include those actions defined from u...

Page 15: ...Drop_Traffic uses a drop action of deferred Pass A drop action of deferred Pass specifies that a traffic flow decision will be deferred to other installed policies To make a policy behave somewhat similar to stop on match you will have to create a new action with a drop action of dontDrop JDM or disable CLI Statistics accumulation support a limited number of counters are available for tracking sta...

Page 16: ...changes are made Table 4 Ethernet Routing Switch 5500 Resource Sharing Setting Description Regular 1 port may use up to 16 of the buffers for a group of 12 ports Large 1 port may use up to 33 of the buffers for a group of 12 ports Maximum 1 port may use 100 of the buffers for a group of 12 ports Resource Sharing Commands 5520 24T PWR config qos agent buffer large maximum regular The qos agent buff...

Page 17: ...group of 12 ports Egress CoS Queuing The following charts describe each possible egress CoS queuing setting The mapping of 802 1p priority to egress CoS queue dequeuing algorithm and queue weight is given Additionally the memory and maximum number of packets which can be buffered per egress CoS queue and resource sharing settings is shown Table 5 Ethernet Routing Switch 5500 Egress CoS Queuing Set...

Page 18: ...7 1 Strict 100 36864B 51200B 163840B 24 33 107 6 2 Weighted Round Robin 52 33792B 49152B 151040B 22 32 99 5 3 24 31744B 47104B 137472B 20 31 90 4 4 14 26624B 43008B 124160B 17 28 81 3 5 7 21504B 37376B 111360B 2 14 24 73 1 6 3 18432B 34304B 98560B 0 12 22 64 5 CoS 7 1 Strict 100 46080B 64000B 199680B 30 42 131 6 2 Weighted Round Robin 58 41984B 59904B 181760B 27 39 119 5 3 27 35840B 53760B 158720B...

Page 19: ... 518 Egress CoS Queuing CLI Commands 5520 24T PWR config show qos queue set assignment The show qos queue set assignment command displays in the CLI the 802 1p priority to egress CoS and QoS queue mapping for CoS setting 1 8 This command is in the CLI priv exec mode 5520 24T PWR config show qos queue set The show qos queue set command displays the queue set configuration The display includes the g...

Page 20: ...ode 5520 24T PWR config show qos agent The show qos agent command displays the current attributes for egress CoS and QoS queue mode resource sharing mode and QoS NVRAM commit delay This command is in the CLI priv exec mode 5520 24T PWR config qos agent nvram delay The qos agent nvram delay command will modify the maximum time in seconds to write config data to non volatile storage This command is ...

Page 21: ... committed burst to occur up to the token bucket size For traffic metering an in profile and an out of profile action is configured and is expressed as an id You can use one of the default actions or create a new action prior to configuring a mete r To view the action id s please use the command shown below For example if you wish to remark the in profile traffic with a QoS level of Bronze and dro...

Page 22: ...g the committed rate burst rate and burst duration can be configured using the following command 5530 24TFD config qos meter 1 55000 committed rate 64 10230000 Kbits sec max burst rate 64 4294967295 Kbits sec max burst duration 1 4294967295 Milliseconds in profile action 1 55000 out profile action 1 1 9 55000 QoS parameters Parameter Description 1 55000 Enter an integer to specify the QoS meter ra...

Page 23: ...e as long as it is larger than the committed rate Example Let s assume you wish to set the committed rate to 10M and set the committed burst bucket size to 128K We also wish to mark all in profile traffic to Bronze and drop all out of profile traffic To accomplish this please use the following commands 1 Calculate the duration expressed in milliseconds Using the actual bucket size from table 7 and...

Page 24: ...he following command 5530 24TFD config interface fastEthernet all 5530 24TFD config if qos if shaper port port shape rate 64 10230000 Kbits sec max burst rate 64 4294967295 Kbits sec max burst duration 1 4294967295 milliseconds QoS interface shaping parameters Parameter Description portlist Ports to configure shaping parameters WORD Specify name for if shaper maximum is 16 alphanumeric characters ...

Page 25: ...et size to 4K for port 8 To accomplish this please use the following commands 1 Calculate the duration expressed in milliseconds Using the actual bucket size from table 7 and a maximum burst rate of 50M Duration bucketSize 8 max burst rate committed rate Duration 4 096 8 50 000 000 40 000 000 Duration 3 2768 ms Rounded down the duration value is 3 ms 2 Next enter the following commands on the Ethe...

Page 26: ...P TOS Binary NNSC PHB Hex Decimal 0x0 0 0x0 000000 00 Standard CS0 0x0 0 0x0 000000 00 DE 0x8 8 0x20 001000 00 Bronze CS1 0xA 10 0x28 001010 00 AF11 0x10 16 0x40 010000 00 Silver CS2 0x12 18 0x48 010010 00 AF21 0x18 24 0x60 011000 00 Gold CS3 0x1A 26 0x68 011010 00 AF31 0x20 32 0x80 100000 00 Platinum CS4 0x22 34 0x88 100010 00 AF41 0x28 40 0xA0 101000 00 Premium CS5 0x2E 46 0xB8 101110 00 EF 0x30...

Page 27: ...ot be combined If you wish to combine L2 and L3 policies must be used ACLs cannot be modified you must first remove the ACL assign configuration at a port level then delete the ACL or ACLs you wish to modify and reconfigure the ACL or ACLs ACLs can be enabled or disabled However you cannot update or change the associated precedence values when the ACL is disabled You can only configure ACLs using ...

Page 28: ...name is then assigned at a port level using the following command 5500 config qos acl assign port port or port s acl type ip l2 name acl name 7 1 4 ACL Configuration Example 7 1 4 1 Configuration Assuming we wish to configure the following remark host 172 1 1 10 ftp traffic to CoS class of Silver remark host 172 1 1 10 http traffic to CoS class of Gold apply the ACL to port 1 19 To accomplish the ...

Page 29: ...t Block tcpcommon Address Type IPv4 Destination Addr Mask Ignore Source Addr Mask 172 1 1 10 32 DSCP Ignore IPv4 Protocol IPv6 Next Header TCP Destination L4 Port Min Ignore Destination L4 Port Max Ignore Source L4 Port Min 21 Source L4 Port Max 21 IPv6 Flow Id Ignore Action Drop No Action Update DSCP 0x12 Action Update 802 1p Priority Ignore Action Set Drop Precedence Low Drop Type Access List St...

Page 30: ...ntrustedClfrs1 State Enabled Classifier Type Block Classifier Name UntrustedClfrs1 Classifier Id 55001 Role Combination allQoSPolicyIfcs Meter Meter Id In Profile Action UntrustedClfrs1 In Profile Action Id 55001 Non Match Action Non Match Action Id Track Statistics Aggregate Precedence 2 Session Id 0 Storage Type Other Id 55002 Policy Name UntrustedClfrs2 State Enabled Classifier Type Block Class...

Page 31: ...hange the http marking from CoS level of Gold to CoS level of Bronze enter the following command shown below From using the show command above we know that port 1 19 as been assigned ACL Assign ID of 1 Hence we need to remove this id first using the following command 5500 config no qos acl assign 1 or if you wish to remove the setting on an individual port we only used one port for this example so...

Page 32: ...ess lease time port number and VLAN ID DHCP snooping is configured at a per VLAN basis where by default all ports are set to untrusted You must configure the uplink ports as trusted Overall DHCP snooping operates as follows Allows only DHCP requests form untrusted ports DHCP replies and all other DHCP messages from untrusted ports are dropped Verifies the DHCP snooping binding table on untrusted p...

Page 33: ...ynamic ARP Inspection Configuration Assuming DHCP snooping is already enable for VLANs 100 and 200 and port 1 19 is the uplink port enter the following commands 5500 config ip arp inspection vlan 100 5500 config ip arp inspection vlan 200 5500 config interface fastEthernet 1 24 5500 config if ip arp inspection trusted 5500 config if exit 8 3 IP Source Guard IP source guard works together with the ...

Page 34: ...uired to bring the port back up by disabling and then re enabling the port state BPDU filter is enabled at an interface level using the following commands 5520 1 config if spanning tree bpdu filtering timeout 10 65535 seconds or 0 for infinity 5520 1 config if spanning tree bpdu filtering enable 9 1 BPDU Filtering Configuration Assuming we wish to enable BPDU filtering with the timer set to infini...

Page 35: ...the QoS applications listed above a number of classifiers are required per QoS applications Please refer to table 10 shown below Table 10 QoS Applications Number of Classifiers Used Feature Number of Classifiers ARP Spoofing 5 DHCP Snooping 1 DHCP Spoofing 2 DoS SQLSlam 1 DoS Nachia 1 DoS Xmas 1 DoS TCP SynFinScan 1 DoS TCP FTPPort 2 DoS TCP DNS Port 2 BPDUBlock 1 For more details on Layer 2 secur...

Page 36: ...have to allow broadcast ARP block any ARP messages using the source IP or target IP of the default gateway and then allow ARP reply these filters should not be applied to the router port s only on the user ports In the 4 2 release or higher a new command has been added to prevent ARP Spoofing between hosts and the router default gateway Configuration Example Assuming the following The default gate...

Page 37: ...ports All other types of DHCP messages received on access ports are discarded This prevents rogue DHCP servers from being set up by attackers on access ports and generating DHCP responses that provide the rogue server s address for the default gateway and DNS server This helps prevent DHCP man in the middle attacks The user will need to specify the interface type for the ports on which they wish t...

Page 38: ...UDP packets These packets will appear to be originating from seemingly random IP addresses and destined for UDP port 1434 When enabled the DoS SQLSlam QoS Application will drop UDP traffic whose destination port is 1434 with the byte pattern of 0x040101010101 starting at byte 47 of a tagged packet Nachia The W32 Nachi variants W32 Nachi A and W32 Nachi B are worms that spread using the RPC DCOM vu...

Page 39: ...s than or equal to 1024 BPDU 10 4 BPDU Blocking There are certain scenarios in a bridged switched environment when the user may wish to drop incoming BPDUs on a specific interface When enabled the BPDU Blocker QoS Application will drop traffic with a specific multicast destination MAC address Currently targeted BPDU multicast destination addresses are 01 80 c2 00 00 00 and 01 00 0c cc cc cd The fo...

Page 40: ... complete the following steps a Add a new Interface Group ERS5500 48T config qos if group name name class trusted unrestricted untrusted b Assign the physical ports to the Interface Group ERS5500 48T config qos if assign port port name if group name Example ERS5500 48T config qos if group name role_one class untrusted ERS5500 48T config qos if assign port 1 5 name role_one c View Role Combination ...

Page 41: ...00 48T config qos ip element 1 64000 addr type Specify the address type IPv4 IPv6 classifier criteria ds field Specify the DSCP classifier criteria dst ip Specify the destination IP classifier criteria dst port min Specify the L4 destination port minimum value classifier criteria flow id Specify the IPv6 flow identifier classifier criteria next header Specify the IPv6 next header classifier criter...

Page 42: ...ent or L2 element ID Example Adding an IP element to a classifier ERS5500 48T config qos classifier 1 set id 1 name class_1 element type ip element id 1 Adding an IP element and a L2 element to a classifier ERS5500 48T config qos classifier 2 set id 2 name class_2 element type ip element id 2 ERS5500 48T config qos classifier 3 set id 2 name class_2 element type l2 element id 1 c Adding a Classifi...

Page 43: ...rs1 DPass Ing 1p Ignore Low Drop Other 64002 UntrustedClfrs2 DPass 0x0 Priority 0 High Drop Other QoS Meter Command Parameters Parameters and variables Description metid Enter an integer to specify the QoS meter range is 1 to 64000 name metname Specify name for meter maximum is 16 alphanumeric characters committed rate rate Specifies rate that traffic must not exceed for extended periods to be con...

Page 44: ...dual aggregate NOTE Instead of clfr id you can also enter the classifier or classifier block name by using clfr name b To assign a Classifier to a new Policy with a meter enter the following command ERS5500 48T config qos policy 1 64000 name name if group if group name clfr type block classifier classifier clfr id 1 64000 meter 1 64000 non match action 1 64000 precedence 3 10 track statistics indi...

Page 45: ...op ReadOnl 2 Standard_Service No 0x0 Priority 0 High Drop ReadOnl 3 Bronze_Service No 0xA Priority 2 Low Drop ReadOnl 4 Silver_Service No 0x12 Priority 3 Low Drop ReadOnl 5 Gold_Service No 0x1A Priority 4 Low Drop ReadOnl 6 Platinum_Service No 0x22 Priority 5 Low Drop ReadOnl 7 Premium_Service No 0x2E Priority 6 Low Drop ReadOnl 8 Network_Service No 0x30 Priority 7 Low Drop ReadOnl 9 Null_Action N...

Page 46: ...cy to ports 5 and 6 NOTE As all three classifiers use the same mask we will create a classifier block to group all three classifiers At this time it is only possible to configure traffic meters using policies It is not possible to add traffic meters via ACLs 12 2 1 ERS 5500 Configuration Using Policies 12 2 1 1 Configure the Interface Role Combination For this example we will configure a new role ...

Page 47: ...ement type ip element id 3 The element id the element number you assigned in the previous step above 12 2 1 4 Configure Meters As mentioned in section 5 2 above if we do not configure a maximum duration rate the committed burst will be automatically set to the maximum value For all 10 100 Mbps and 1 GigE Ethernet ports the maximum committed burst is 524 288 bytes Hence it does not matter what valu...

Page 48: ...ividual 12 2 2 Verify Operations 12 2 2 1 Verify the Role Combination Step 1 Verify that the if group has been configured correctly ERS5500 24T show qos if group Result Role Interface Capabilities Storage Combination Class Type ________________________________ ____________ ___________________ ___________ allQoSPolicyIfcs Untrusted Input 802 Input IP ReadOnly unrestricted Unrestricted Input 802 Inp...

Page 49: ...Session Id 0 Storage Type NonVolatile Id 3 Address Type IPv4 Destination Addr Mask Ignore Source Addr Mask Ignore DSCP Ignore IPv6 Flow Id Ignore IPv4 Protocol IPv6 Next Header UDP Destination L4 Port Min 137 Destination L4 Port Max 137 Source L4 Port Min Ignore Source L4 Port Max Ignore Session Id 0 Storage Type NonVolatile 12 2 3 Verify Classifier and Classifier Block Configuration Step 1 Verify...

Page 50: ...mit Rate 1000 Kbps Commit Burst 524288 Bytes In Profile Action Standard_Service Out Profile Action Drop_Traffic Session Id 0 Storage Type NonVolatile Step 3 Verify that the Classifier Block with the correct classifier and meter number ERS5500 24T show qos classifier block Result Id 1 Block Name b1 Block Number 1 Classifier Name c1 Classifier Set Id 1 Meter Name m1 Meter Id 1 Action Name Action Id ...

Page 51: ... 3 1 Verify Policy Configuration Step 1 Verify that the QoS Policy ERS5500 24T show qos policy Result Policy Name policy1 State Enabled Classifier Type Block Classifier Name b1 Classifier Id 1 Role Combination q2 Meter Meter Id In Profile Action In Profile Action Id Non Match Action Standard_Service Non Match Action Id 2 Track Statistics Individual Precedence 3 Session Id 0 Storage Type NonVolatil...

Page 52: ...k 10 62 32 0 24 and to the 10 10 30 0 24 network for full access to the internet Enable DHCP Snooping ARP Inspection and In regards to VLAN 220 we wish to accomplish the following Allow full access to the core network 172 0 0 0 8 and 10 0 0 0 8 Only allow only ICMP HTTP and HTTPS traffic to the internet 12 3 1 ERS 5500 Configuration 12 3 1 1 Create VLAN s and Add Port Members ERS5500 Step 1 Add VL...

Page 53: ...500 config if ip ospf enable 5500 config if exit ERS5500 Step 3 Add IP address to VLAN 700 and enable OSPF 5500 config interface vlan 700 5500 config if ip address 10 95 101 3 255 255 255 0 5500 config if ip ospf enable 5500 config if exit 12 3 1 3 Enable IP Routing and OSPF Globally ERS5500 Step 1 Enable IP routing and OSPF Globally 5500 config ip routing 5500 config router ospf enable 12 3 1 4 E...

Page 54: ...S5500 Step 1 Enable DHCP Snooping for VLAN s 110 and 220 and enable DHCP Snooping globally 5500 config ip dhcp snooping vlan 110 5500 config ip dhcp snooping vlan 220 5500 config ip dhcp snooping enable ERS5500 Step 1 Enable ARP Inspection for VLAN s 110 and 220 5500 config ip arp inspection vlan 110 5500 config ip arp inspection vlan 220 12 3 1 7 Enable IP Source Guard ERS5500 Step 1 Enable IP So...

Page 55: ...tocol 1 refers to ICMP while protocol 17 refers to UDP 12 3 1 9 Create ACL s for VLAN 220 Port Members ERS5500 Step 1 Create IP ACL s pertaining to VLAN 220 VLAN port members 5500 config qos ip acl name two dst ip 10 0 0 0 8 block b3 5500 config qos ip acl name two dst ip 172 0 0 0 8 block b3 5500 config qos ip acl name two protocol 6 dst port min 80 dst port max 80 block b4 5500 config qos ip acl...

Page 56: ...ommand assuming we have port member on ports 6 and 9 ERS5500 24T show ip dhcp snooping binding Result MAC IP Lease sec VID Port 00 50 8b e1 58 e8 10 62 32 10 691200 110 6 00 02 a5 e9 00 28 10 13 196 10 691200 220 9 Total Entries 2 12 3 2 2 Verify ARP Inspection Step 1 Verify that ARP Inspection is enabled for VLAN s 110 and 220 ERS5500 24T show ip arp inspection vlan Result ARP VLAN Inspection 1 D...

Page 57: ... 3 2 4 Verify ACL Configuration Step 1 To view the IP ACL configuration enter the following command ERS5500 24T show qos ip acl Result Id 1 Name one Block Address Type IPv4 Destination Addr Mask 172 30 30 50 32 Source Addr Mask Ignore DSCP Ignore IPv4 Protocol IPv6 Next Header ICMP Destination L4 Port Min Ignore Destination L4 Port Max Ignore Source L4 Port Min Ignore Source L4 Port Max Ignore IPv...

Page 58: ...dence Low Drop Type Access List Storage Type NonVolatile Id 4 Name one Block b1 Address Type IPv4 Destination Addr Mask 10 62 32 0 24 Source Addr Mask Ignore DSCP Ignore IPv4 Protocol IPv6 Next Header Ignore Destination L4 Port Min Ignore Destination L4 Port Max Ignore Source L4 Port Min Ignore Source L4 Port Max Ignore IPv6 Flow Id Ignore Action Drop No Action Update DSCP Ignore Action Update 802...

Page 59: ...dr Mask Ignore DSCP Ignore IPv4 Protocol IPv6 Next Header Ignore Destination L4 Port Min Ignore Destination L4 Port Max Ignore Source L4 Port Min Ignore Source L4 Port Max Ignore IPv6 Flow Id Ignore Action Drop No Action Update DSCP Ignore Action Update 802 1p Priority Ignore Action Set Drop Precedence Low Drop Type Access List Storage Type NonVolatile Id 8 Name two Block b3 Address Type IPv4 Dest...

Page 60: ...ort Min Ignore Source L4 Port Max Ignore IPv6 Flow Id Ignore Action Drop No Action Update DSCP Ignore Action Update 802 1p Priority Ignore Action Set Drop Precedence Low Drop Type Access List Storage Type NonVolatile Id 11 Name two Block b4 Address Type IPv4 Destination Addr Mask Ignore Source Addr Mask Ignore DSCP Ignore IPv4 Protocol IPv6 Next Header TCP Destination L4 Port Min 443 Destination L...

Page 61: ... Port Range Using ACL or Policy Assuming we wish to filter on the following port ranges and remark the traffic to CoS level shown below TCP dst port 80 127 with CoS level of Gold UDP dst port 2000 2047 with CoS level of Silver As mentioned in section 3 3 a port range must start with an even minimum number while the maximum number rightmost consecutive 0 s are replaced with 1 s The table shown belo...

Page 62: ...nfig qos if group name ifx class unrestricted ERS5500 24T config qos if assign port 3 6 name ifx 12 4 1 2 Add new IP element pertaining to the port ranges above ERS5500 Step 1 Create IP elements for TCP port range 80 127 5500 config qos ip element 1 protocol 6 dst port min 80 dst port max 95 5500 config qos ip element 2 protocol 6 dst port min 96 dst port max 127 ERS5500 Step 1 Create IP elements ...

Page 63: ...g IP ACL s 12 4 2 1 Create ACL s for TCP Range 80 127 ERS5500 Step 1 Create IP ACL s for TCP port range 80 127 to remark traffic to CoS level of Gold DSCP decimal 26 5500 config qos ip acl name range protocol 6 dst port min 80 dst port max 95 update dscp 26 5500 config qos ip acl name range protocol 6 dst port min 96 dst port max 127 update dscp 26 ERS5500 Step 2 Create IP ACL s for UDP port range...

Page 64: ...lassification Based on MAC Address Example 12 5 1 ERS5500 Configuration Using Policies 12 5 1 1 Configure the Interface Role Combination ERS5500 Step 1 Create the Interface Role Combination and name is vlan_110 ERS5500 24T config qos if group name vlan_110 class unrestricted ERS5500 24T config qos if assign port 1 3 4 name vlan_110 12 5 1 2 Add new L2 element ERS5500 Step 1 Add an L2 element for V...

Page 65: ...config qos policy 1 name pol_1 if group vlan_110 clfr type classifier clfr id 1 in profile action 5 non match action 3 precedence 11 12 5 2 ERS5500 Configuration Using IP ACL s 12 5 2 1 Create L2 ACL s for MAC Address Range ERS5500 Step 1 Create L2 ACL s for MAC address range 00 00 01 00 00 00 to 00 00 01 00 00 ff 5500 config qos l2 acl name vlan_110 src mac 00 00 0a 00 00 00 src mac mask fff fff ...

Page 66: ...nt with host 1 s IP address and VLAN 110 and add to Classifier Block 1 with an in profile action of Gold Service Create a second classifier element with host 2 s IP address and VLAN 120 and add to Classifier Block 1 with an in profile action of Silver Service Create a Policy with Classifier block 1 and the Role Combination for port 1 3 with a non match action of Bronze Service At this time it is o...

Page 67: ...os classifier 2 set id 1 name c1 element type l2 element id 1 ERS5500 Step 2 The next two commands add the second classifier with IP element 1 and L2 element 2 5500 config qos classifier 3 set id 2 name c2 element type ip element id 1 5500 config qos classifier 4 set id 2 name c2 element type l2 element id 2 ERS5500 Step 3 Add a classifier block with classifier 1 with an in provide action of Gold ...

Page 68: ...via Un restricted Port Role For this example assume we wish to accomplish the following in regarded to the untagged VLAN 5 ingress port members Set a port role of un restricted with port members 3 to 6 Select queue set 8 with 8 queues For ingress port members 3 5 we wish to map the following DSCP values Please use the show qos queue set assignment command to display the o For DSCP 0x12 Silver CoS ...

Page 69: ... Step 2 Assign the IP ACL s to ports 3 5 5500 config qos acl assign port 3 5 acl type ip name pbit 12 7 3 Policy Configuration 12 7 3 1 IP Element Configuration ERS5500 Step 1 Create IP Classifiers 5500 config qos ip element 1 ds field 18 5500 config qos ip element 2 ds field 26 5500 config qos ip element 3 ds field 34 12 7 3 2 Configure Classifier and Classifier Block For the classifier block we ...

Page 70: ...12 7 4 1 View the Queue Assignments The following commands are useful to display the queue mapping pertaining to the ACL configuration from above Step 1 Use the following command to view the internal mapping of p bit to queue for queue set 8 note results are only shown for queue set 8 ERS5500 24T show qos queue set assignment Result Queue Set 8 802 1p Priority Queue _______________ _____ 0 8 1 7 2...

Page 71: ...s 12 8 1 1 Enable Shaping on Port 8 As mentioned in section 5 3 if you do not specify maximum burst duration the maximum bucket size will automatically be configured For a 10 100 Mbps or 1 GigE port the value will be 524 288 bytes Hence it does not matter what value you enter as the max burst rate as long as it is greater than the shaped rate ERS5500 Step 1 Configure port 8 with a committed shape ...

Page 72: ...nuary 2013 avaya com 13 Software Baseline All configuration examples are based on software release 5 1 14 Reference Documentation Document Title Publication Number Description Configuration Quality of Service NN47200 504 217466 C Avaya Ethernet Routing Switch 5500 Series updated for software release 5 1 ...

Page 73: ...5 2 Getting product training Ongoing product training is available For more information or to register you can access the Web site at www avaya com support From this Web site you can locate the Training contacts link on the left hand navigation pane 15 3 Getting help from a distributor or reseller If you purchased a service contract for your Avaya product from a distributor or authorized reseller ...

Reviews:

No comments

Related manuals for ERS 5510

Brand: F5 Pages: 72

Brand: Garland Pages: 6

Brand: ICP DAS USA Pages: 8

Brand: QUNDIS Pages: 42

Brand: IBM Pages: 34

Brand: H3C Pages: 4

ACCULINK 3161 CSU

Brand: Paradyne Pages: 19

Brand: LevelOne Pages: 142

Brand: ORiNG Pages: 101

Brand: Jensen of Scandinavia Pages: 2

Brand: Patton electronics Pages: 8

ROADRECORDER 8400 NVR

Brand: Safety Vision Pages: 27

Brand: Belkin Pages: 42

Brand: ZyXEL Communications Pages: 36

Brand: Tripp Lite Pages: 2

Brand: D-Link Pages: 32

DGS-1016D - Switch

Brand: D-Link Pages: 74

DGS-2208 - Desktop Switch

Brand: D-Link Pages: 37

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands