manualshive.com logo in svg

Nortel 5510, Engineering Manual

Share
Download
Nortel 5510 Engineering Manual Download Page 31

Filters and QoS Configuration for ERS 5500 
Technical Configuration Guide   

   

  

v2.0 

              

 

 

 NN48500-559   

 
 

___________________________________________________________________________________________________________________________ 

Nortel Confidential Information   Copyright © 2008 Nortel Networks. All Rights Reserved. 

 
 

 

 

 

 

External Distribution

 

 

 

 

                              30

 

8.  IP Security Features 

This section covers the security features DHCP Snooping, ARP-Inspection, and IP Source Guard. 
DHCP Snooping and ARP-Inspection where added in the 5.0 software release while IP Source 
Guard was added in the 5.1 software release. If you are using a software release prior to 5.0, 
please see the next section. 

8.1  DHCP Snooping  

DHCP snooping is a security feature that builds a binding table on untrusted ports by monitoring 
DHCP messages. On core or uplink ports, the port(s) is considered trusted and should be 
configured as such. The DHCP snooping binding table consists of the leased IP address, MAC 
address, lease time, port number, and VLAN ID. DHCP snooping is configured at a per VLAN 
basis where, by default, all ports are set to untrusted. You must configure the uplink ports as 
trusted.  

Overall, DHCP snooping operates as follows: 

 

Allows only DHCP requests form untrusted ports.  

 

DHCP replies and all other DHCP messages from untrusted ports are dropped 

 

Verifies the DHCP snooping binding table on untrusted ports to verify the traffic entering 
a port by comparing the source MAC address against the DHCP lease IP address. If 
there is no match, the packet is dropped 

8.1.1  DHCP Snooping Configuration 

To enable DHCP snooping, enter the following command assuming we wish to enable DHCP 
snooping on VLANs 100 and 200 and the uplink port is 1/24.  

 

5500(config)#

ip dhcp-snooping vlan 100 

 

5500(config)#

ip dhcp-snooping vlan 200 

 

5500(config)#

ip dhcp-snooping enable 

 

5500(config)#

interface fastEthernet 1/24 

 

5500(config-if)#

ip dhcp-snooping trusted 

 

5500(config-if)#

exit 

8.2 Dynamic 

ARP 

Inspection 

Dynamic ARP Inspection verifies the ARP packets to prevent man-in-the-middle (MITM) types of 
attacks. Without dynamic ARP inspection, a malicious user can attack hosts in a local subnet by 
poisoning the ARP cache of hosts connected to this subnet by intercepting traffic intended for 
other hosts on the subnet. This normally takes place on VLAN with multiple hosts connected. 
Dynamic ARP inspection is used together with DHCP snooping by using the binding table to 
validate the host MAC address to IP address binding on untrusted ports. ARP packets on 
untrusted ports are only forward if they match the source MAC to IP address in the binding table. 
DHCP snooping must be enable prior to enabling dynamic ARP inspection.  

8.2.1  Dynamic ARP Inspection Configuration 

Assuming DHCP snooping is already enable for VLANs 100 and 200 and port 1/19 is the uplink 
port, enter the following commands: 

Summary of Contents for 5510

Page 1: ...10 5520 5530 Engineering Filters and QOS Configuration for Ethernet Routing Switch 5500 Technical Configuration Guide Enterprise Solutions Engineering Document Date April 01 2008 Document Number NN48500 559 Document Version 2 0 ...

Page 2: ...ers innovative technology solutions encompassing end to end broadband Voice over IP multimedia services and applications and wireless broadband designed to help people solve the world s greatest challenges Nortel does business in more than 150 countries For more information visit Nortel on the Web at www nortel com Copyright 2008 Nortel Networks All Rights Reserved While the information in this do...

Page 3: ...______________________ Nortel Confidential Information Copyright 2008 Nortel Networks All Rights Reserved External Distribution 2 Abstract This technical configuration guide provides an overview on how to configure QoS and Filters on the Ethernet Routing Switch 5500 with software release 5 1 The configuration examples are all in reference to the Nortel Networks Command Line Interface NNCLI ...

Page 4: ...TERFACE SHAPER 22 6 DEFAULT NORTEL CLASS OF SERVICE 24 7 QOS ACCESS LISTS ACL 25 7 1 ACL CONFIGURATION 25 8 IP SECURITY FEATURES 30 8 1 DHCP SNOOPING 30 8 2 DYNAMIC ARP INSPECTION 30 8 3 IP SOURCE GUARD 31 9 BPDU FILTERING 32 9 1 BPDU FILTERING CONFIGURATION 32 10 QOS INTERFACE APPLICATIONS 33 10 1 ARP SPOOFING 34 10 2 DHCP ATTACKS 35 10 3 DOS 36 10 4 BPDU BLOCKING 37 11 CONFIGURATION STEPS POLICY...

Page 5: ... Figures Figure 1 QoS System Diagram 6 Figure 2 QoS Flow Chart 9 Figure 3 Arp Spoofing Example 34 Figure 4 IP ACL DHCP Snooping ARP Inspection and Source Guard 50 Figure 5 L2 Classification Based on MAC Address Example 62 Figure 6 DSCP Mapping via Un restricted Port Role 66 List of Tables Table 1 Default QoS Action 7 Table 2 Example of Valid Port Ranges 11 Table 3 Default Policy Drop Action 12 Tab...

Page 6: ...ns used in this document Symbols Tip Highlights a configuration or technical tip L Note Highlights important information to the reader 1 Warning Highlights important information about an action that may result in equipment damage configuration or data loss Text Bold text indicates emphasis Italic text in a Courier New font indicates text the user must enter or select in a menu item button or comma...

Page 7: ...riate egress queue Figure 1 QoS System Diagram Role Combination A role combination is a grouping of one or more ports capabilities and interface classifications against which a policy is applied The capabilities presently supported on the Ethernet Routing Switch 5500 include ingress IP and Layer 2 classification The Ethernet Routing Switch 5500 supports the following interface classes that can be ...

Page 8: ...about the origin of the incoming traffic You may assign an action to set the DSCP or not to set the DSCP it s up to you This allows you to manipulate the DSCP value based upon the filter criteria and not upon the point of origin The following table displays a summary of the role combination capabilities Table 1 Default QoS Action Type of Filter Action Trusted Untrusted Unrestricted DSCP Does not c...

Page 9: ... certain classification criteria various actions can be initiated In profile actions metered traffic within specific bandwidth limits o Drop o Update DSCP o Update 802 1p o Drop precedence choice of low drop high drop or use egress map Out of profile actions metered traffic exceeding bandwidth limits o Drop o Update DSCP o Set drop precedence Non Match actions non metered traffic o Drop o Update D...

Page 10: ... basis Or you can group a number of Classifiers into a Classifier Block and then add the Classifier Block to a Policy on a per port basis The Ethernet Routing Switch 5500 supports up to 114 Classifiers per port for a total of greater than 40K Classifiers in a fully configured stack Figure 2 QoS Flow Chart Role Combination Application QoS Devices Interface Configuration Role Combination Interface C...

Page 11: ...rofile packets Associating a block of classifiers with a policy indicating that statistics are to be maintained could consume all counting resources for a single interface with one policy To avoid exhausting the number of counters available per interface one may select aggregate classifier tracking instead of individual classifier tracking when creating the policy By specifying aggregate classifie...

Page 12: ...nge support is limited to a certain extent however because ranges are represented as a bitmask within the overall classification mask and not with explicit minimum and maximum values A range must thus be specified by indicating which bits in the given field e g Layer 4 source port are ignored i e set to 0 Taking into account this limitation the following rules are used to determine valid range val...

Page 13: ...en a policy references a classifier block and members of the referenced block identify their own action or meter criteria action and meter data must not be specified by the policy The actions applied to packets include those actions defined from user defined policies and those actions defined from system default policies The user defined actions always carry a higher precedence than the system def...

Page 14: ...t similar to stop on match you will have to create a new action with a drop action of dontDrop JDM or disable CLI Statistics accumulation support a limited number of counters are available for tracking statistics Specifically 32 counters are available per port for tracking matching no metering specified in profile metering specified traffic statistics A total of 63 counters are available per port ...

Page 15: ...o any port Note that the switch must be rebooted if any changes are made Table 4 Ethernet Routing Switch 5500 Resource Sharing Setting Description Regular 1 port may use up to 16 of the buffers for a group of 12 ports Large 1 port may use up to 33 of the buffers for a group of 12 ports Maximum 1 port may use 100 of the buffers for a group of 12 ports Resource Sharing Commands 5520 24T PWR config q...

Page 16: ...you have 5 or more ports connected per group of 12 ports Egress CoS Queuing The following charts describe each possible egress CoS queuing setting The mapping of 802 1p priority to egress CoS queue dequeuing algorithm and queue weight is given Additionally the memory and maximum number of packets which can be buffered per egress CoS queue and resource sharing settings is shown Table 5 Ethernet Rou...

Page 17: ...B 31232B 92800B 2 6 6 12 20 61 1 18432B 31232B 86400B 0 7 3 12 20 56 36864B 51200B 163840B 7 1 Strict 100 24 33 107 33792B 49152B 151040B 6 2 52 22 32 99 31744B 47104B 137472B 5 3 24 20 31 90 26624B 43008B 124160B 4 4 14 17 28 81 3 21504B 37376B 111360B 2 5 7 14 24 73 1 18432B 34304B 98560B 6 CoS 0 6 Weighted Round Robin 3 12 22 64 46080B 64000B 199680B 7 1 Strict 100 30 42 131 41984B 59904B 18176...

Page 18: ... 1 2 Weighted Round Robin 100 40 53 172 7 6 5 4 131072B 262144B 786432B 1 CoS 3 1 Strict 100 86 172 518 Egress CoS Queuing CLI Commands 5520 24T PWR config show qos queue set assignment The show qos queue set assignment command displays in the CLI the 802 1p priority to egress CoS and QoS queue mapping for CoS setting 1 8 This command is in the CLI priv exec mode 5520 24T PWR config show qos queue...

Page 19: ...ss CoS and QoS queue set The default CoS QoS queue mode is 8 This command is in the CLI priv exec mode 5520 24T PWR config show qos agent The show qos agent command displays the current attributes for egress CoS and QoS queue mode resource sharing mode and QoS NVRAM commit delay This command is in the CLI priv exec mode 5520 24T PWR config qos agent nvram delay The qos agent nvram delay command wi...

Page 20: ...ucket sizes are supported on the ERS5530 only via the 10 GigE interface The token bucket allows a committed burst to occur up to the token bucket size For traffic metering an in profile and an out of profile action is configured and is expressed as an id You can use one of the default actions or create a new action prior to configuring a meter To view the action id s please use the command shown b...

Page 21: ...8 10 GigE 5530 5 2 Policing Traffic When configuring traffic policing the committed rate burst rate and burst duration can be configured using the following command 5530 24TFD config qos meter 1 55000 committed rate 64 10230000 Kbits sec max burst rate 64 4294967295 Kbits sec max burst duration 1 4294967295 Milliseconds in profile action 1 55000 out profile action 1 1 9 55000 QoS parameters Parame...

Page 22: ...o it does not matter what value you enter for the maximum burst rate as long as it is larger than the committed rate Example Let s assume you wish to set the committed rate to 10M and set the committed burst bucket size to 128K We also wish to mark all in profile traffic to Bronze and drop all out of profile traffic To accomplish this please use the following commands 1 Calculate the duration expr...

Page 23: ... shape rate burst rate and burst duration can be configured using the following command 5530 24TFD config interface fastEthernet all 5530 24TFD config if qos if shaper port port shape rate 64 10230000 Kbits sec max burst rate 64 4294967295 Kbits sec max burst duration 1 4294967295 milliseconds QoS interface shaping parameters Parameter Description portlist Ports to configure shaping parameters WOR...

Page 24: ... s assume you wish to set the committed rate to 40M and set the bucket size to 4K for port 8 To accomplish this please use the following commands 1 Calculate the duration expressed in milliseconds Using the actual bucket size from table 7 and a maximum burst rate of 50M Duration bucketSize 8 max burst rate committed rate Duration 4 096 8 50 000 000 40 000 000 Duration 3 2768 ms Rounded down the du...

Page 25: ...wing table shows the default Nortel Class of Service marking Table 9 Default Nortel CoS Markings DSCP Hex Decimal TOS Binary NNSC PHB 0x0 0 0x0 000000 00 CS0 0x0 0 0x0 000000 00 Standard DE 0x8 8 0x20 001000 00 CS1 0xA 10 0x28 001010 00 Bronze AF11 0x10 16 0x40 010000 00 CS2 0x12 18 0x48 010010 00 Silver AF21 0x18 24 0x60 011000 00 CS3 0x1A 26 0x68 011010 00 Gold AF31 0x20 32 0x80 100000 00 CS4 0x...

Page 26: ... subsequent precedence values for the ACL s You cannot assign traffic meters IP and L2 ACL s cannot be combined If you wish to combine L2 and L3 policies must be used ACL s cannot be modified you must first remove the ACL assign configuration at a port level then delete the ACL or ACL s you wish to modify and reconfigure the ACL or ACL s ACL s can be enabled or disabled However you cannot update o...

Page 27: ... 1 3 ACL Assign Configuration Once you have completed the ACL configuration the ACL name is then assigned at a port level using the following command 5500 config qos acl assign port port or port s acl type ip l2 name acl name 7 1 4 ACL Configuration Example 7 1 4 1 Configuration Assuming we wish to configure the following remark host 172 1 1 10 ftp traffic to CoS class of Silver remark host 172 1 ...

Page 28: ...l 5530H 24TFD show qos ip acl Name host Block tcpcommon Address Type IPv4 Destination Addr Mask Ignore Source Addr Mask 172 1 1 10 32 DSCP Ignore IPv4 Protocol IPv6 Next Header TCP Destination L4 Port Min Ignore Destination L4 Port Max Ignore Source L4 Port Min 21 Source L4 Port Max 21 IPv6 Flow Id Ignore Action Drop No Action Update DSCP 0x12 Action Update 802 1p Priority Ignore Action Set Drop P...

Page 29: ...e Enabled Classifier Type Block Classifier Name UntrustedClfrs1 Classifier Id 55001 Role Combination allQoSPolicyIfcs Meter Meter Id In Profile Action UntrustedClfrs1 In Profile Action Id 55001 Non Match Action Non Match Action Id Track Statistics Aggregate Precedence 2 Session Id 0 Storage Type Other Id 55002 Policy Name UntrustedClfrs2 State Enabled Classifier Type Block Classifier Name Untruste...

Page 30: ...CL Assuming we wish to change the http marking from CoS level of Gold to CoS level of Bronze enter the following command shown below From using the show command above we know that port 1 19 as been assigned ACL Assign ID of 1 Hence we need to remove this id first using the following command 5500 config no qos acl assign 1 or if you wish to remove the setting on an individual port we only used one ...

Page 31: ...he DHCP snooping binding table on untrusted ports to verify the traffic entering a port by comparing the source MAC address against the DHCP lease IP address If there is no match the packet is dropped 8 1 1 DHCP Snooping Configuration To enable DHCP snooping enter the following command assuming we wish to enable DHCP snooping on VLANs 100 and 200 and the uplink port is 1 24 5500 config ip dhcp sno...

Page 32: ...Guard IP source guard works together with the DHCP snooping binding table by providing security against invalid source IP addresses If enabled the source IP address is checked against the source IP address in the binding table on untrusted ports If the incoming source IP address does not match the IP address in the binding table the packet is dropped Please note that manual static assignment of IP...

Page 33: ...n addition to BPDU filtering If you select to shut down the port forever manual intervention is required to bring the port back up by disabling and then re enabling the port state BPDU filter is enabled at an interface level using the following commands 5520 1 config if spanning tree bpdu filtering timeout 10 65535 seconds or 0 for infinity 5520 1 config if spanning tree bpdu filtering enable 9 1 ...

Page 34: ...Spoofing SQLSlam Nachia Xmas TCP SynFinScan TCP FtpPort TCP DnsPort BPDU Blocker When using any of the QoS applications listed above a number of classifiers are required per QoS applications Please refer to table 10 shown below Table 10 QoS Applications Number of Classifiers Used Feature Number of Classifiers ARP Spoofing 5 DHCP Snooping 1 DHCP Spoofing 2 DoS SQLSlam 1 DoS Nachia 1 DoS Xmas 1 DoS ...

Page 35: ...e to prevent ARP MAC spoofing using off set filters to block any gratuitous ARPs gARP Basically you have to allow broadcast ARP block any ARP messages using the source IP or target IP of the default gateway and then allow ARP reply these filters should not be applied to the router port s only on the user ports In the 4 2 release or higher a new command has been added to prevent ARP Spoofing betwee...

Page 36: ...nooping QoS Application operates by classifying ports as access untrusted and core trusted and only allowing DHCP requests from the access ports All other types of DHCP messages received on access ports are discarded This prevents rogue DHCP servers from being set up by attackers on access ports and generating DHCP responses that provide the rogue server s address for the default gateway and DNS s...

Page 37: ...e of 376 byte UDP packets These packets will appear to be originating from seemingly random IP addresses and destined for UDP port 1434 When enabled the DoS SQLSlam QoS Application will drop UDP traffic whose destination port is 1434 with the byte pattern of 0x040101010101 starting at byte 47 of a tagged packet Nachia The W32 Nachi variants W32 Nachi A and W32 Nachi B are worms that spread using t...

Page 38: ...7 10 4 BPDU Blocking There are certain scenarios in a bridged switched environment when the user may wish to drop incoming BPDUs on a specific interface When enabled the BPDU Blocker QoS Application will drop traffic with a specific multicast destination MAC address Currently targeted BPDU multicast destination addresses are 01 80 c2 00 00 00 and 01 00 0c cc cc cd The following commands are used t...

Page 39: ...nfiguring a policy an interface group will be assigned to the policy To add a new role combination complete the following steps a Add a new Interface Group ERS5500 48T config qos if group name name class trusted unrestricted untrusted b Assign the physical ports to the Interface Group ERS5500 48T config qos if assign port port name if group name Example ERS5500 48T config qos if group name role_on...

Page 40: ...a port a Adding IP and L2 Element IP Element To add an IP element enter the following command ERS5500 48T config qos ip element 1 64000 addr type Specify the address type IPv4 IPv6 classifier criteria ds field Specify the DSCP classifier criteria dst ip Specify the destination IP classifier criteria dst port min Specify the L4 destination port minimum value classifier criteria flow id Specify the ...

Page 41: ...ier 1 64000 set id 1 64000 name name element type ip l2 element id 1 64000 Where element id IP element or L2 element ID Example Adding an IP element to a classifier ERS5500 48T config qos classifier 1 set id 1 name class_1 element type ip element id 1 Adding an IP element and a L2 element to a classifier ERS5500 48T config qos classifier 2 set id 2 name class_2 element type ip element id 2 ERS5500...

Page 42: ...0 Priority 7 Low Drop ReadOnl 9 Null_Action DPass Ignore Ignore Low Drop ReadOnl 64001 UntrustedClfrs1 DPass Ing 1p Ignore Low Drop Other 64002 UntrustedClfrs2 DPass 0x0 Priority 0 High Drop Other QoS Meter Command Parameters Parameters and variables Description metid Enter an integer to specify the QoS meter range is 1 to 64000 name metname Specify name for meter maximum is 16 alphanumeric charac...

Page 43: ... 1 64000 in profile action 1 64000 non match action 1 64000 precedence 3 10 track statistics individual aggregate NOTE Instead of clfr id you can also enter the classifier or classifier block name by using clfr name b To assign a Classifier to a new Policy with a meter enter the following command ERS5500 48T config qos policy 1 64000 name name if group if group name clfr type block classifier clas...

Page 44: ...__ _____ ______ ____________ ___________ _________ _______ 1 Drop_Traffic Yes Ignore Ignore High Drop ReadOnl 2 Standard_Service No 0x0 Priority 0 High Drop ReadOnl 3 Bronze_Service No 0xA Priority 2 Low Drop ReadOnl 4 Silver_Service No 0x12 Priority 3 Low Drop ReadOnl 5 Gold_Service No 0x1A Priority 4 Low Drop ReadOnl 6 Platinum_Service No 0x22 Priority 5 Low Drop ReadOnl 7 Premium_Service No 0x2...

Page 45: ...NOTE As all three classifiers use the same mask we will create a classifier block to group all three classifiers L At this time it is only possible to configure traffic meters using policies It is not possible to add traffic meters via ACL s 12 2 1 ERS5500 Configuration Using Policies 12 2 1 1 Configure the Interface Role Combination For this example we will configure a new role combination with p...

Page 46: ...ure Meters As mentioned in section 5 2 above if we do not configure a maximum duration rate the committed burst will be automatically set to the maximum value For all 10 100 Mbps and 1 GigE Ethernet ports the maximum committed burst is 524 288 bytes Hence it does not matter what value you enter for the max burst rate as long is it is greater than the committed rate ERS5500 Step 1 Create the QoS me...

Page 47: ...vidual 12 2 2 Verify Operations 12 2 2 1 Verify the Role Combination Step 1 Verify that the if group has been configured correctly ERS5500 24T show qos if group Result Role Interface Capabilities Storage Combination Class Type ________________________________ ____________ ___________________ ___________ allQoSPolicyIfcs Untrusted Input 802 Input IP ReadOnly unrestricted Unrestricted Input 802 Inpu...

Page 48: ...rt Min 69 Destination L4 Port Max 69 Source L4 Port Min Ignore Source L4 Port Max Ignore Session Id 0 Storage Type NonVolatile Id 3 Address Type IPv4 Destination Addr Mask Ignore Source Addr Mask Ignore DSCP Ignore IPv6 Flow Id Ignore IPv4 Protocol IPv6 Next Header UDP Destination L4 Port Min 137 Destination L4 Port Max 137 Source L4 Port Min Ignore Source L4 Port Max Ignore Session Id 0 Storage T...

Page 49: ...ession Id 0 Storage Type NonVolatile Id 3 Name m3 Commit Rate 1000 Kbps Commit Burst 524288 Bytes In Profile Action Standard_Service Out Profile Action Drop_Traffic Session Id 0 Storage Type NonVolatile Step 3 Verify that the Classifier Block with the correct classifier and meter number ERS5500 24T show qos classifier block Result Id 1 Block Name b1 Block Number 1 Classifier Name c1 Classifier Set...

Page 50: ...rtel Networks All Rights Reserved External Distribution 49 12 2 3 1 Verify Policy Configuration Step 1 Verify that the QoS Policy ERS5500 24T show qos policy Result Policy Name policy1 State Enabled Classifier Type Block Classifier Name b1 Classifier Id 1 Role Combination q2 Meter Meter Id In Profile Action In Profile Action Id Non Match Action Standard_Service Non Match Action Id 2 Track Statisti...

Page 51: ...ly allow access to the local network 10 62 32 0 24 and to the 10 10 30 0 24 network for full access to the internet Enable DHCP Snooping ARP Inspection and In regards to VLAN 220 we wish to accomplish the following Allow full access to the core network 172 0 0 0 8 and 10 0 0 0 8 Only allow only ICMP HTTP and HTTPS traffic to the internet 12 3 1 ERS5500 Configuration 12 3 1 1 Create VLAN s and Add ...

Page 52: ... 5500 config if exit ERS5500 Step 3 Add IP address to VLAN 700 and enable OSPF 5500 config interface vlan 700 5500 config if ip address 10 95 101 3 255 255 255 0 5500 config if ip ospf enable 5500 config if exit 12 3 1 3 Enable IP Routing and OSPF Globally ERS5500 Step 1 Enable IP routing and OSPF Globally 5500 config ip routing 5500 config router ospf enable 12 3 1 4 Enable DHCP Relay ERS5500 Ste...

Page 53: ... for VLAN s 110 and 220 and enable DHCP Snooping globally 5500 config ip dhcp snooping vlan 110 5500 config ip dhcp snooping vlan 220 5500 config ip dhcp snooping enable ERS5500 Step 1 Enable ARP Inspection for VLAN s 110 and 220 5500 config ip arp inspection vlan 110 5500 config ip arp inspection vlan 220 12 3 1 7 Enable IP Source Guard ERS5500 Step 1 Enable IP Source Guard on access port members...

Page 54: ...protocol 17 refers to UDP 12 3 1 9 Create ACL s for VLAN 220 Port Members ERS5500 Step 1 Create IP ACL s pertaining to VLAN 220 VLAN port members 5500 config qos ip acl name two dst ip 10 0 0 0 8 block b3 5500 config qos ip acl name two dst ip 172 0 0 0 8 block b3 5500 config qos ip acl name two protocol 6 dst port min 80 dst port max 80 block b4 5500 config qos ip acl name two protocol 6 dst port...

Page 55: ... the following command assuming we have port member on ports 6 and 9 ERS5500 24T show ip dhcp snooping binding Result MAC IP Lease sec VID Port 00 50 8b e1 58 e8 10 62 32 10 691200 110 6 00 02 a5 e9 00 28 10 13 196 10 691200 220 9 Total Entries 2 12 3 2 2 Verify ARP Inspection Step 1 Verify that ARP Inspection is enabled for VLAN s 110 and 220 ERS5500 24T show ip arp inspection vlan Result ARP VLA...

Page 56: ...tion Step 1 To view the IP ACL configuration enter the following command ERS5500 24T show qos ip acl Result Id 1 Name one Block Address Type IPv4 Destination Addr Mask 172 30 30 50 32 Source Addr Mask Ignore DSCP Ignore IPv4 Protocol IPv6 Next Header ICMP Destination L4 Port Min Ignore Destination L4 Port Max Ignore Source L4 Port Min Ignore Source L4 Port Max Ignore IPv6 Flow Id Ignore Action Dro...

Page 57: ...ation Addr Mask 10 62 32 0 24 Source Addr Mask Ignore DSCP Ignore IPv4 Protocol IPv6 Next Header Ignore Destination L4 Port Min Ignore Destination L4 Port Max Ignore Source L4 Port Min Ignore Source L4 Port Max Ignore IPv6 Flow Id Ignore Action Drop No Action Update DSCP Ignore Action Update 802 1p Priority Ignore Action Set Drop Precedence Low Drop Type Access List Storage Type NonVolatile Id 5 N...

Page 58: ...ow Id Ignore Action Drop No Action Update DSCP Ignore Action Update 802 1p Priority Ignore Action Set Drop Precedence Low Drop Type Access List Storage Type NonVolatile Id 8 Name two Block b3 Address Type IPv4 Destination Addr Mask 10 0 0 0 8 Source Addr Mask Ignore DSCP Ignore IPv4 Protocol IPv6 Next Header Ignore Destination L4 Port Min Ignore Destination L4 Port Max Ignore Source L4 Port Min Ig...

Page 59: ...ss Type IPv4 Destination Addr Mask Ignore Source Addr Mask Ignore DSCP Ignore IPv4 Protocol IPv6 Next Header TCP Destination L4 Port Min 443 Destination L4 Port Max 443 Source L4 Port Min Ignore Source L4 Port Max Ignore IPv6 Flow Id Ignore Action Drop No Action Update DSCP Ignore Action Update 802 1p Priority Ignore Action Set Drop Precedence Low Drop Type Access List Storage Type NonVolatile Id ...

Page 60: ...7 with CoS level of Gold UDP dst port 2000 2047 with CoS level of Silver As mentioned in section 3 3 a port range must start with an even minimum number while the maximum number rightmost consecutive 0 s are replaced with 1 s The table shown below displays the valid ranges that can be configured Table 9 Port Range Protocol Port or Port Range Min Max Range Binary Value Valid Ranges Port Min 2n 1 TC...

Page 61: ... max 127 ERS5500 Step 1 Create IP elements for UDP port range 2000 2027 5500 config qos ip element 3 protocol 17 dst port min 2000 dst port max 2015 5500 config qos ip element 4 protocol 17 dst port min 2016 dst port max 2047 12 4 1 3 Configure Classifiers one for each of the IP elements configured above ERS5500 Step 1 Create the an IP Classifier for each IP element created above 5500 config qos c...

Page 62: ...ig qos ip acl name range protocol 6 dst port min 96 dst port max 127 update dscp 26 ERS5500 Step 2 Create IP ACL s for UDP port range 2000 2047 to remark traffic to CoS level of Silver DSCP decimal 18 5500 config qos ip acl name range protocol 17 dst port min 2000 dst port max 2015 update dscp 18 5500 config qos ip acl name range protocol 17 dst port min 2016 dst port max 2047 update dscp 18 ERS55...

Page 63: ...re the Interface Role Combination ERS5500 Step 1 Create the Interface Role Combination and name is vlan_110 ERS5500 24T config qos if group name vlan_110 class unrestricted ERS5500 24T config qos if assign port 1 3 4 name vlan_110 12 5 1 2 Add new L2 element ERS5500 Step 1 Add an L2 element for VLAN 110 and specify MAC address 5500 config qos l2 element 1 src mac 00 00 0a 00 00 00 src mac mask ff ...

Page 64: ... match action 3 precedence 11 12 5 2 ERS5500 Configuration Using IP ACL s 12 5 2 1 Create L2 ACL s for MAC Address Range ERS5500 Step 1 Create L2 ACL s for MAC address range 00 00 01 00 00 00 to 00 00 01 00 00 ff 5500 config qos l2 acl name vlan_110 src mac 00 00 0a 00 00 00 src mac mask fff fff f00 ethertype 0x800 update dscp 10 ERS5500 Step 2 Pass all other traffic with standard CoS 5500 config ...

Page 65: ...omplish these tasks is to Create a Role Combination for port 1 3 Create the first classifiers element with host 1 s IP address and VLAN 110 and add to Classifier Block 1 with an in profile action of Gold Service Create a second classifier element with host 2 s IP address and VLAN 120 and add to Classifier Block 1 with an in profile action of Silver Service Create a Policy with Classifier block 1 a...

Page 66: ... element 1 5500 config qos classifier 1 set id 1 name c1 element type ip element id 1 5500 config qos classifier 2 set id 1 name c1 element type l2 element id 1 ERS5500 Step 2 The next two commands add the second classifier with IP element 1 and L2 element 2 5500 config qos classifier 3 set id 2 name c2 element type ip element id 1 5500 config qos classifier 4 set id 2 name c2 element type l2 elem...

Page 67: ...onfigure the ERS5500 to support internal QoS mapping for various DSCP values Figure 6 DSCP Mapping via Un restricted Port Role For this example assume we wish to accomplish the following in regarded to the untagged VLAN 5 ingress port members Set a port role of un restricted with port members 3 to 6 Select queue set 8 with 8 queues For ingress port members 3 5 we wish to map the following DSCP val...

Page 68: ...cl name pbit drop action disable ERS5500 Step 2 Assign the IP ACL s to ports 3 5 5500 config qos acl assign port 3 5 acl type ip name pbit 12 7 3 Policy Configuration 12 7 3 1 IP Element Configuration ERS5500 Step 1 Create IP Classifiers 5500 config qos ip element 1 ds field 18 5500 config qos ip element 2 ds field 26 5500 config qos ip element 3 ds field 34 12 7 3 2 Configure Classifier and Class...

Page 69: ...play the queue mapping pertaining to the ACL configuration from above Step 1 Use the following command to view the internal mapping of p bit to queue for queue set 8 note results are only shown for queue set 8 ERS5500 24T show qos queue set assignment Result Queue Set 8 802 1p Priority Queue _______________ _____ 0 8 1 7 2 6 3 5 4 4 5 3 6 1 7 2 Step 2 Use the following command to display queue set...

Page 70: ... Shaping on Port 8 As mentioned in section 5 3 if you do not specify maximum burst duration the maximum bucket size will automatically be configured For a 10 100 Mbps or 1 GigE port the value will be 524 288 bytes Hence it does not matter what value you enter as the max burst rate as long as it is greater than the shaped rate ERS5500 Step 1 Configure port 8 with a committed shape rate of 40 Mbps a...

Page 71: ...___________ Nortel Confidential Information Copyright 2008 Nortel Networks All Rights Reserved External Distribution 70 13 Software Baseline All configuration examples are based on software release 5 1 14 Reference Documentation Document Title Publication Number Description Configuration Quality of Service NN47200 504 217466 C Nortel Ethernet Routing Switch 5500 Series updated for software release...

Page 72: ...f you purchased a Nortel Networks service program contact Nortel Technical Support To obtain contact information online go to www nortel com contactus From the Technical Support page you can open a Customer Service Request online or find the telephone number for the nearest Technical Solutions Center If you are not connected to the Internet call 1 800 4NORTEL 1 800 466 7835 to learn the telephone ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands