technology, networking and IP telephony
Posts tagged QOS
Traffic Filters and ACLs for the Ethernet Routing Switch 5000
Jul 19th
There have been a few recent comments on the blog and a few questions on the discussion forum around how ACLs (traffic filters) work on the Ethernet Routing Switch 5520. I thought I would take a few minutes to dive into the subject and perhaps either answer some of those questions or foster some additional discussion. Let me get right to the most popular question.
Is the Ethernet Routing Switch 5510/5520/5530 capable of performing basic IP filtering? Yes.
Prior to software release 5.0 you had to-do all filtering in QoS policies. It seems a lot of confusion comes from the fact that in order to perform IP filtering similar to an ACL in a Cisco router you had to create a QoS policy. With the release of 5.0 software you can now create fairly straight forward ACLs. You can only do this from the CLI or WEB interface, there’s no support for ACLs in Java Device Manager.
Let me walk you through a simple example.
I started with a ERS-5520-PwR and factory reset the switch I gave it a management IP address of 192.168.1.50 (VLAN 1);
5520-48T-PWR(config)#ip address switch 192.168.1.50 5520-48T-PWR(config)#ip default-gateway 192.168.1.1 5520-48T-PWR(config)#ip address netmask 255.255.255.0
I created VLAN 100 and moved ports 13-48 to VLAN 100 making sure to set the PVID;
5520-48T-PWR(config)#vlan members remove 1 13-48 5520-48T-PWR(config)#vlan create 100 type port 5520-48T-PWR(config)#vlan members add 100 14-48 5520-48T-PWR(config)#vlan ports 13-48 pvid 100
I enabled IP routing on the switch (remember out of the box it’s just a Layer 2 switch);
5520-48T-PWR(config)#ip routing
I enabled IP routing for VLAN 1 and then gave VLAN 100 an IP address/interface;
5520-48T-PWR(config)#interface vlan 1 5520-48T-PWR(config-if)#ip routing 5520-48T-PWR(config)#exit 5520-48T-PWR(config)#interface vlan 100 5520-48T-PWR(config-if)#ip address 192.168.100.1 255.255.255.0 2 5520-48T-PWR(config-if)#ip routing 5520-48T-PWR(config)#exit
Let’s just making sure that everything looks right before we get the real meat of this post;
5520-48T-PWR#show vlan ip ============================================================================== Vid ifIndex Address Mask MacAddress Offset Routing ============================================================================== Primary Interfaces ------------------------------------------------------------------------------ 1 10001 192.168.1.50 255.255.255.0 00:1F:0A:CE:XX:40 1 Enabled 100 10100 192.168.100.1 255.255.255.0 00:1F:0A:CE:XX:41 2 Enabled ------------------------------------------------------------------------------ % Total of Primary Interfaces: 2
The two IP interfaces are configured properly and have routing enabled. Let’s make sure that the routing table is correct;
5520-48T-PWR#show ip route
===============================================================================
Ip Route
===============================================================================
DST MASK NEXT COST VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0 0.0.0.0 192.168.1.1 10 1 1 S IB 5
192.168.1.0 255.255.255.0 192.168.1.50 1 1 ---- C DB 0
192.168.100.0 255.255.255.0 192.168.100.1 1 100 ---- C DB 0
Total Routes: 3
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HW
Here’s where the real work starts. I created an ACL named “testacl” and then assigned it to port 23.
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80 5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable 5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl
In the statements above I created an ACL that will allow traffic sourced from 192.168.100.0/24 to a destination TCP port of 80 to pass unrestricted while blocking (dropping) all other traffic. I’ve assigned that ACL to port 23 where I have a test PC connected to the switch.
Let’s just pretend that you forgot to allow DNS (UDP/53) queries in your IP filter so let’s back out the ACL and recreate it.
First we need to determine the ACL number that was assigned to our ACL called “testacl”. We can do that by issuing the following command;
5520-48T-PWR#show qos acl Id Name State ACL Unit/Port Storage Type Type _____ ____________________________ ________ ____ _________ ________ 1 testacl Enabled IP 1/23 NonVol
We also need to know how many rules are in the IP ACL that’s being referenced above. We can do that with the following command;
5520-48T-PWR#show qos ip-acl Id: 1 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: TCP Destination L4 Port Min: 80 Destination L4 Port Max: 80 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 2 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: Ignore DSCP: Ignore IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: Yes Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile
Now we can remove the ACL from port 23 and then delete it from the switch;
5520-48T-PWR(config)#no qos acl-assign 1 5520-48T-PWR(config)#no qos ip-acl 2 5520-48T-PWR(config)#no qos ip-acl 1
Now we’ll rebuild the ACL allowing DNS queries to the broadband router;
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80 5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 dst-ip 192.168.1.1/32 protocol 17 dst-port-min 53 dst-port-max 53 5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable 5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl
Now that we have our filter let’s see what it looks like (I’m not a fan of this output format);
5520-48T-PWR#show qos ip-acl Id: 1 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: TCP Destination L4 Port Min: 80 Destination L4 Port Max: 80 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 2 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: 192.168.1.1/32 Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: UDP Destination L4 Port Min: 53 Destination L4 Port Max: 53 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 3 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: Ignore DSCP: Ignore IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: Yes Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile
That’s a basic ACL filter using Layer 3 parameters. There is a Technical Configuration Guide available from Nortel/Avaya that provides additional examples and covers Filtering and QoS configuration of the Ethernet Routing Switch 5500 series switches. The guide is a little dated by still a very useful resource in my opinion.
Cheers!
Reference;
2008_04_01_Filters_and_QOS_Configurati0on_for_Ethernet_Routing_Switch_5500_TCG_NN48500559.pdf
Nortel Large Campus Technical Solution Guide
Sep 15th
Nortel recently released a highly technical document, Large Campus Technical Solution Guide, that should be a great benefit Nortel customers. This document covers an amazing amount of information and is a treasure trove to organizations looking for best practice approaches to managing and deploying their Nortel data equipment.
The document covers topics such as convergence between IP telephony and data networking, chassis versus stackable, Layer 2 versus Layer 3 at the edge, redundancy, high availability, clustering (IST/SMLT), two tier and three tier network designs, VLANs, Spanning Tree, Control Plane Rate Limit (cp-limit), Extended CP-Limit (ext-cp-limit), VLACP, SLPP, QoS, VRRP, RSMLT, ECMP, Multicast, EAPoL and the list goes on and on. And best of all they provide configuration examples for a large number of the scenarios which are always helpful.
A lot of the material I cover here in my blog is covered in this document. I’ll probably pull a few excerpts from this document over the next few months and make some posts out of it, expanding on some of the examples and filling in any unanswered blanks.
I’m impressed with effort that Nortel has made in trying to “get out the word”. This is really a great tool for Nortel customers! Let’s hope that Avaya will allow these folks to continue with their success.
Oh behalf of all those Nortel customers out there let me say “Thanks!”
Cheers!
Nortel ERS 5520 PwR Switch
Oct 23rd
I’ve added a command to disable the User Interface Button (UI Button) “no ui-button enable”.
Update: February 7, 2009
It was time to update this article with some additional information and settings that I’m now using in all my switch deployments. The big change is the updated ADAC MAC address table. Please also note the VLACP time-out scale change and I’ve updated the year field for the Daylight Saving Time change.
Update: August 13, 2008
This was one of the first articles I wrote back in October 2007 and it is by far the most popular article out of all 110 articles that I currently have published. With that said I decided to come back and spruce up this post with some additional “tweaks” that I’ve added over the past 10 months. I’m also going to attack a link to a text file so folks can just download the file of commands, tweak the specific individual settings such as IP address and VLAN information, and then cut and paste into the CLI interface of the Nortel Ethernet Routing Switch 5520. It will hopefully save folks from having to cut and paste each section.
Note: just a quick warning about cutting and pasting into the CLI interface, I’ve often found that the buffer will overflow if I try to paste an entire configuration at once. I usually need to break it into at least two or three sections and cut and paste those section one at a time.
In this post I’ll try to outline how you can configure the Nortel Ethernet Routing Switch 5520 in a VoIP environment using Nortel i2002/i2004 Internet Telephones (this procedure will also work the same with the i2007/1120E/
1140E phones).
You’ll obviously need a ERS 5520 switch and you’ll need SW 5.0.6.22 or later and FW 5.0.0.3 or later (there are known issues with earlier software versions that create inconsistent results using LLDP with the i2002/i2004 phones). I would strongly advise that you start with a default configuration. From the CLI issue the following commands to reset the switch to factory defaults;
5520-48T-PWR> enable 5520-48T-PWR# boot default
The switch should reboot with a default configuration. Let’s proceed with the configuration;
5520-48T-PWR> enable 5520-48T-PWR# configure terminal
Let’s set the local read-only and read-write passwords;
5520-48T-PWR (config)#cli password read-only readpass 5520-48T-PWR (config)#cli password read-write writepass 5520-48T-PWR (config)#cli password serial local 5520-48T-PWR (config)#cli password telnet local
Let’s disable the user interface button (UI button);
5520-48T-PWR (config)# no ui-button enable
Enable AUTOPVID;
5520-48T-PWR (config)# vlan configcontrol autopvid
We’ll be up linking this switch using a MultiLink trunk on ports 47 and 48 so we’ll enable tagging on the fiber uplinks;
5520-48T-PWR (config)# vlan ports 47,48 tagging enable
Let’s create the data VLAN (VID 100) and management VLAN (VID 200) on the switch;
5520-48T-PWR (config)# vlan members remove 1 ALL 5520-48T-PWR (config)# vlan create 200 name "10-1-200-0/24" type port 5520-48T-PWR (config)# vlan members add 200 47,48 5520-48T-PWR (config)# vlan create 100 name "10-1-100-0/24" type port 5520-48T-PWR (config)# vlan members add 100 1-48 5520-48T-PWR (config)# vlan port 1-46 pvid 100 5520-48T-PWR (config)# vlan port 47,48 pvid 200
Let’s make VLAN 200 the management VLAN and assign the IP address;
5520-48T-PWR (config)# vlan mgmt 200 5520-48T-PWR (config)# ip address switch 10.1.200.10 netmask 255.255.255.0 default-gateway 10.1.200.1
Let’s setup Simple Network Management Protocol (SNMP);
5520-48T-PWR (config)# snmp-server authentication-trap disable 5520-48T-PWR (config)# snmp-server community ro 5520-48T-PWR (config)# snmp-server community rw 5520-48T-PWR (config)# snmp-server host
Let’s configure the logging so it will overwrite the oldest events;
5520-48T-PWR (config)# logging volatile overwrite 5520-48T-PWR (config)# logging enable
Let’s setup Simple Network Time Protocol (SNTP);
5520-48T-PWR (config)# sntp server primary address 5520-48T-PWR (config)# sntp server secondary address 5520-48T-PWR (config)# sntp enable
Depending on the version of switch software your running you may be able to configure Daylight Saving Time;
5520-48T-PWR (config)#clock time-zone EST -5 5520-48T-PWR (config)#clock summer-time EDT date 9 Mar 2009 2:00 2 Nov 2009 2:00 +60
Let’s setup the MultiLink trunk that will connect the switch back to the backbone;
5520-48T-PWR (config)# mlt 1 disable 5520-48T-PWR (config)# mlt 1 name "MLT-8600" 5520-48T-PWR (config)# mlt 1 learning disable 5520-48T-PWR (config)# mlt 1 member 47,48 5520-48T-PWR (config)# mlt 1 enable
Let’s setup ADAC (Automatic Detection and Automatic Configuration) for our i2002/i2004 phones. We’ll using VLAN 50 as our voice VLAN and we’ll use port 48 as our uplink (the switch will add 47 automatically because of the MLT configuration). There is a new command to clear the ADAC MAC address table that may be missing from earlier versions, “no adac mac-range-table”. I’ve also updated the list of entries that I use.
5520-48T-PWR (config)# adac voice-vlan 50 5520-48T-PWR (config)# adac op-mode tagged-frames 5520-48T-PWR (config)# adac uplink-port 48 5520-48T-PWR (config)# no adac mac-range-table 5520-48T-PWR (config)# adac mac-range-table low-end 00:0a:e4:75:00:00 high-end 00:0a:e4:75:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:13:65:00:00:00 high-end 00:13:65:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:14:c2:00:00:00 high-end 00:14:c2:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:16:ca:00:00:00 high-end 00:16:ca:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:17:65:00:00:00 high-end 00:17:65:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:18:b0:00:00:00 high-end 00:18:b0:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:19:69:00:00:00 high-end 00:19:69:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:19:e1:00:00:00 high-end 00:19:e1:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:1b:ba:00:00:00 high-end 00:1b:ba:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:1e:ca:00:00:00 high-end 00:1e:ca:ff:ff:ff 5520-48T-PWR (config)# adac mac-range-table low-end 00:22:67:00:00:00 high-end 00:22:67:ff:ff:ff 5520-48T-PWR (config)# adac enable
We need to strip the 802.1q tag from any packets in the PVID VLAN from going to the phone. In this design we’re expecting to connect IP phones to ports 1 – 46.
5520-48T-PWR (config)# vlan port 1-46 tagging untagpvidOnly
Let’s configure LLDP for the ports we expect to connect IP phones (1 – 46);
5520-48T-PWR (config)# interface fastEthernet 1-46
5520-48T-PWR (config-if)# vlan ports 1-46 filter-unregistered-frames disable
5520-48T-PWR (config-if)# lldp tx-tlv port-desc sys-cap sys-desc sys-name
5520-48T-PWR (config-if)# lldp status txAndRx config-notification
5520-48T-PWR (config-if)# lldp tx-tlv med extendedPSE med-capabilities network-policy
5520-48T-PWR (config-if)# poe poe-priority high
5520-48T-PWR (config-if)# spanning-tree learning fast
5520-48T-PWR (config-if)# adac enable
5520-48T-PWR (config-if)# exit
The option in RED above was added after an issue was discovered when trying to upgrade the firmware on the IP phones. The filter-unregistered-frames is enabled by default and should be disabled to avoid and issues with upgrading the firmware on the IP phones. We are attempting to investigate further with Nortel and our voice vendor Shared Technologies.
Let’s disable the two remaining ports that share the GBIC interfaces incase we need those in the future;
5520-48T-PWR (config)# interface fastEthernet 45-46 5520-48T-PWR (config-if)# shutdown 5520-48T-PWR (config-if)# exit
Let’s setup a QoS interface group to trust all traffic that will ingress on the fiber uplinks. By default the ERS 5520 switch will strip all QoS tags on all ports. Thankfully ADAC will take care of the QoS settings for all VoIP traffic.
5520-48T-PWR (config)# qos if-group name allUpLinks class trusted 5520-48T-PWR (config)# interface fastEthernet 47,48 5520-48T-PWR (config)# qos if-assign port 47,48 name allUpLinks 5520-48T-PWR (config)# exit
Let’s set the SNMP information;
5520-48T-PWR (config)# snmp-server name "sw-icr1-1east.sub.domain.org" 5520-48T-PWR (config)# snmp-server location "Acme Internet Phone Company (ICR1)" 5520-48T-PWR (config)# snmp-server contact "Network Infrastructure Team"
Let’s enable rate limiting for all broadcast and multicast traffic to 10% of the link;
5520-48T-PWR (config)# interface fastEthernet ALL 5520-48T-PWR (config-if)# rate-limit both 5 5520-48T-PWR (config-if)# exit
Let’s setup VLACP (Virtual Link Aggregation Protocol) on the uplinks to the core;
5520-48T-PWR (config)# interface fastEthernet 47,48 5520-48T-PWR (config-if)# vlacp port 47,48 timeout short 5520-48T-PWR (config-if)# vlacp port 47,48 timeout-scale 5 5520-48T-PWR (config-if)# vlacp port 47,48 enable 5520-48T-PWR (config-if)# exit 5520-48T-PWR (config)# vlacp enable
That’s it your done! Well hopefully your done.
In my next post I’ll tell you what DHCP options you’ll need to configure on your DHCP server in order for the phones to boot properly and connect to the Nortel Call Server.
Cheers!
Loading ...
RECENT COMMENTS