Alcatel-Lucent 7210 SAS M OS Configuration Manual
Hide thumbs
Also See for 7210 SAS M OS:
- Service manual (952 pages) ,
- Configuration manual (558 pages) ,
- Quality of service manual (404 pages)
Related Manuals for Alcatel-Lucent 7210 SAS M OS
Summary of Contents for Alcatel-Lucent 7210 SAS M OS
- Page 1 7210 SAS M OS Router Configuration Guide Software Version: 7210 SAS OS 2.0 Rev. 01 June 2010 Document Part Number: 93-0230-02-01 *93-0230-02-01*...
- Page 2 Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
-
Page 3: Table Of Contents
Getting Started Alcatel-Lucent 7210 SAS-Series Router Configuration Process ....... .13 IP Router Configuration Configuring IP Router Parameters . - Page 4 Table of Contents Common Configuration Tasks ............93 Creating an IP Filter Policy .
- Page 5 IST OF ABLES Getting Started Table 1: Configuration Process ............13 IP Router Configuration Table 2: Default Route Preferences .
- Page 6 List of Tables Page 6 7210 SAS M Router Configuration Guide...
- Page 7 IST OF IGURES Filter Policies Figure 1: Creating and Applying Filter Policies ..........79 Figure 2: Filtering Process Example .
- Page 8 7210 SAS M Router Configuration Guide Page 8...
-
Page 9: Preface
Preface About This Guide This guide describes logical IP routing interfaces, IP and MAC-based filtering support provided by the 7210 SAS OS and presents configuration and implementation examples. This document is organized into functional chapters and provides concepts and descriptions of the implementation flow, as well as Command Line Interface (CLI) syntax and command usage. -
Page 10: List Of Technical Publications
Preface List of Technical Publications The 7210-SAS M OS documentation set is composed of the following books: • 7210-SAS M OS Basic System Configuration Guide This guide describes basic system configurations and operations. • 7210-SAS M OS System Management Guide This guide describes system security and access configurations as well as event logging and accounting logs. -
Page 11: Technical Support
If you purchased a service agreement for your 7210 SAS router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased an Alcatel-Lucent service agreement, contact your welcome center Web: http://www1.alcatel-lucent.com/comps/pages/carrier_support.jhtml... - Page 12 Preface Page 12 7210 SAS M Router Configuration Guide...
-
Page 13: Getting Started
In This Chapter This chapter provides process flow information to configure routing entities, virtual routers, IP and MAC filters. Alcatel-Lucent 7210 SAS-Series Router Configuration Pro- cess Table 1 lists the tasks necessary to configure logical IP routing interfaces, virtual routers, IP and MAC-based filtering. -
Page 14: Getting Started
Getting Started Page 14 7210 SAS M Router Configuration Guide... -
Page 15: Ip Router Configuration
IP Router Configuration In This Chapter This chapter provides information about commands required to configure basic router parameters. Topics in this chapter include: • Configuring IP Router Parameters on page 16 → Interfaces on page 16 • Configuration Notes on page 41 Page 15 7210 SAS M Router Configuration Guide... -
Page 16: Configuring Ip Router Parameters
Configuring IP Router Parameters Configuring IP Router Parameters In order to provision services on a 7210 SAS router, logical IP routing interfaces must be configured to associate attributes such as an IP addressor the system with the IP interface. A special type of IP interface is the system interface. A system interface must have an IP address with a 32-bit subnet mask. -
Page 17: Ip Addresses
IP Router Configuration IP Addresses Router ID The router ID, a 32-bit number, uniquely identifies the router within an autonomous system (AS). In protocols such as OSPF, routing information is exchanged between areas, groups of networks that share routing information. It can be set to be the same as the loopback address. The router ID is used by both OSPF and BGP routing protocols in the routing table manager instance. -
Page 18: Process Overview
Process Overview Process Overview The following items are components to configure basic router parameters. • Interface — A logical IP routing interface. Once created, attributes like an IP address, port, link aggregation group or the system can be associated with the IP interface. •... -
Page 19: Configuration Notes
IP Router Configuration Configuration Notes The following information describes router configuration caveats. • A system interface and associated IP address should be specified. • Boot options file (BOF) parameters must be configured prior to configuring router parameters. 7210 SAS M Router Configuration Guide Page 19... - Page 20 Configuration Notes Page 20 7210 SAS M Router Configuration Guide...
-
Page 21: Configuring An Ip Router With Cli
IP Router Configuration Configuring an IP Router with CLI This section provides information to configure an IP router. Topics in this section include: • Router Configuration Overview on page 22 • Basic Configuration on page 24 • Common Configuration Tasks on page 25 →... -
Page 22: Router Configuration Overview
“1.1.1.1” is not allowed, but “int-1.1.1.1” is allowed. To create an interface on an Alcatel-Lucent 7210 SAS router, the basic configuration tasks that must be performed are: •... -
Page 23: Basic Configuration
IP Router Configuration Basic Configuration NOTE: Refer to each specific chapter for specific routing protocol information and command syntax to configure protocols such as OSPF. The most basic router configuration must have the following: • System name • System address The following example displays a router configuration: A:ALA-A>... -
Page 24: Common Configuration Tasks
Common Configuration Tasks Common Configuration Tasks The following sections describe basic system tasks. • Configuring a System Name on page 25 • Configuring Interfaces on page 27 → Configuring a System Interface on page 27 → Configuring a Network Interface on page 27 •... -
Page 25: Configuring Interfaces
IP Router Configuration Configuring Interfaces The following command sequences create a system and a logical IP interface. The system interface assigns an IP address to the interface, and then associates the IP interface with a physical port. The logical interface can associate attributes like an IP address or port. Note that the system interface cannot be deleted. - Page 26 Common Configuration Tasks The following displays an IP configuration output showing interface information. A:ALA-A>config>router# info #------------------------------------------ # IP Configuration #------------------------------------------ interface "system" address 10.10.0.4/32 exit interface "to-ALA-2" address 10.10.24.4/24 port 1/1/1 egress filter ip 10 exit exit #------------------------------------------ A:ALA-A>config>router# Page 26 7210 SAS M Router Configuration Guide...
- Page 27 IP Router Configuration CLI Syntax: 7210 SAS M Router Configuration Guide Page 27...
-
Page 28: Deriving The Router Id
Common Configuration Tasks Deriving the Router ID The router ID defaults to the address specified in the system interface command. If the system interface is not configured with an IP address, then the router ID inherits the last four bytes of the MAC address. -
Page 29: Service Management Tasks
IP Router Configuration Service Management Tasks This section discusses the following service management tasks: • Changing the System Name on page 64 • Modifying Interface Parameters on page 65 • Deleting a Logical IP Interface on page 66 Changing the System Name em command sets the name of the device and is used in the prompt string. -
Page 30: Modifying Interface Parameters
Service Management Tasks Modifying Interface Parameters Starting at the level, navigate down to the router interface context. config>router To modify an IP address, perform the following steps: Example A:ALA-A>config>router# interface “to-sr1” A:ALA-A>config>router>if# shutdown A:ALA-A>config>router>if# no address A:ALA-A>config>router>if# address 10.0.0.25/24 A:ALA-A>config>router>if# no shutdown To modify a port, perform the following steps: Example A:ALA-A>config>router# interface “to-sr1”... -
Page 31: Deleting A Logical Ip Interface
IP Router Configuration Deleting a Logical IP Interface The no form of the command typically removes the entry, but all entity associations interface must be shut down and/or deleted before an interface can be deleted. 1. Before loopback IP interface can be deleted, it must first be administratively disabled with command. - Page 32 Service Management Tasks Page 32 7210 SAS M Router Configuration Guide...
-
Page 33: Ip Router Command Reference
IP Router Configuration IP Router Command Reference Command Hierarchies Configuration Commands • Router Commands on page 33 • Router Interface Commands on page 37 • Show Commands on page 41 • Clear Commands on page 43 • Debug Commands on page 44 Router Commands config —... -
Page 34: Router Interface Commands
IP Router Command Reference Router Interface Commands config — router [router-name] — [no] interface ip-int-name — address {ip-address/mask | ip-address netmask} broadcast {all-ones | host- ones}] — no address — [no] allow-directed-broadcasts — arp-timeout seconds — no arp-timeout — description description-string —... -
Page 35: Show Commands
IP Router Configuration Show Commands show — router router-instance — [ ip-int-name | ip-address/mask | mac ieee-mac-address | summary] [local | dynamic | static | managed] — [ip-prefix/prefix-length [longer]] — interface [{[ip-address | ip-int-name] [detail] [family]} | [summary] — interface family [detail] —... -
Page 36: Clear Commands
IP Router Command Reference Clear Commands clear — router [router-instance] — {all | ip-addr | interface {ip-int-name | ip-addr}} Page 36 7210 SAS M Router Configuration Guide... -
Page 37: Debug Commands
IP Router Configuration Debug Commands debug — router router-instance — — [no] — icmp — no icmp — [no] interface [ip-int-name | ip-address] — [no] neighbor — packet [ip-int-name | ip-address] [headers] [protocol-id] — no packet [ip-int-name | ip-address] — route-table [ip-prefix/prefix-length] [longer] —... - Page 38 IP Router Command Reference Page 38 7210 SAS M Router Configuration Guide...
-
Page 39: Configuration Commands
IP Router Configuration Configuration Commands Generic Commands shutdown Syntax [no] shutdown Context config>router>interface Description The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. -
Page 40: Router Global Commands
Router Global Commands Router Global Commands router Syntax router Context config Description This command enables the context to configure router parameters, and interfaces. Default Base aggregate Syntax aggregate ip-prefix/ip-prefix-length no aggregate ip-prefix/mask Context config>router Description This command creates an aggregate route. Use this command to group a number of routes with common prefixes into a single entry in the routing table. - Page 41 IP Router Configuration router-id Syntax router-id ip-address no router-id Context config>router Description This command configures the router ID for the router instance. The router ID is used by OSPF outing protocols in this instance of the routing table manager. IS-IS uses the router ID value as its system ID.
- Page 42 Router Global Commands Context config>router Description This command triggers route policy re-evaluation. By default, when a change is made to a policy in the config router policy options context and then committed, the change is effective immediately. There may be circumstances when the changes should or must be delayed;...
- Page 43 IP Router Configuration preference preference — The preference of this static route versus the routes from different sources such as OSPF, expressed as a decimal integer. When modifing the preference of an existing static route, the metric will not be changed unless specified. Different protocols should not be configured with the same preference.
-
Page 44: Table 2: Default Route Preferences
Router Global Commands tag — Adds a 32-bit integer tag to the static route. The tag is used in route policies to control distribution of the route into other protocols. Table 2: Default Route Preferences Route Type Preference Configurable Direct attached Static-route OSPF Internal routes IS-IS level 1 internal... - Page 45 IP Router Configuration Router Interface Commands interface Syntax [no] interface ip-int-name Context config>router Description This command creates a logicalsystem or a loopback IP routing interface. Once created, attributes like IP address, port, or system can be associated with the IP interface. Interface names are case-sensitive and must be unique within the group of IP interfaces defined for config router interface.
- Page 46 Router Interface Commands address Syntax address {ip-address/mask | ip-address netmask} [broadcast {all-ones | host-ones}] no address Context config>router>interface Description This command assigns an IP address, IP subnet, and broadcast address format to an IP system IP interface. Only one IP address can be associated with an IP interface. An IP address must be assigned to each IP interface.
- Page 47 IP Router Configuration local subnet of the IP address. Note that a mask of 255.255.255.255 is reserved for system IP addresses. Values 128.0.0.0 — 255.255.255.255 netmask — The subnet mask in dotted decimal notation. Values 0.0.0.0 — 255.255.255.255 (network bits all 1 and host bits all 0) broadcast {all-ones | host-ones} —...
- Page 48 Router Interface Commands When enabled, a frame destined to the local subnet on this IP interface is sent as a subnet broadcast out this interface. NOTE: Allowing directed broadcasts is a well-known mechanism used for denial- of-service attacks. By default, directed broadcasts are not allowed and are discarded at this egress IP interface. The no form of the command disables directed broadcasts forwarding out of the IP interface.
- Page 49 IP Router Configuration Description This command assigns a specific MAC address to an IP interface. Only one MAC address can be assigned to an IP interface. When multiple mac commands are entered, the last command overwrites the previous command. The no form of the command returns the MAC address of the IP interface to the default value. Default IP interface has a system-assigned MAC address.
- Page 50 Router Interface Commands The command returns an error if the interface is already associated with another port or the system. In this case, the association must be deleted before the command is re-attempted. The port-id can be in one of the following forms: •...
- Page 51 ARP requests. Thus, the 7210 SAS M OS configuration can state that if it has a packet that has a certain IP address to send it to the corresponding ARP address. Use proxy ARP so 7210 SAS M responds to ARP requests on behalf of another device.
- Page 52 Router Interface Commands Router Interface Filter Commands egress Syntax egress Context config>router>interface Description This command enables access to the context to configure egress network filter policies for the IP interface. If an egress filter is not defined, no filtering is performed. ingress Syntax ingress...
- Page 53 IP Router Configuration Router Interface ICMP Commands icmp Syntax icmp Context config>router>interface Description This command enables access to the context to configure Internet Control Message Protocol (ICMP) parameters on a network IP interface. ICMP is a message control and error reporting protocol that also provides information relevant to IP packet processing.
- Page 54 Router Interface Commands Parameters number — The maximum number of ICMP redirect messages to send, expressed as a decimal integer. This parameter must be specified with the time parameter. Values 10 — 1000 seconds — The time frame, in seconds, used to limit the number of ICMP redirect messages that can be issued,expressed as a decimal integer.
- Page 55 IP Router Configuration ttl-expired Syntax ttl-expired [number seconds] no ttl-expired Context config>router>if>icmp Description This command configures the rate that Internet Control Message Protocol (ICMP) Time To Live (TTL) expired messages are issued by the IP interface. By default, generation of ICMP TTL expired messages is enabled at a maximum rate of 100 per 10 second time interval.
- Page 56 Router Interface Commands seconds — The time frame, in seconds, used to limit the number of ICMP unreachable messages that can be issued, expressed as a decimal integer. Values 1 — 60 Page 56 7210 SAS M Router Configuration Guide...
- Page 57 IP Router Configuration Show Commands Syntax arp [ip-int-name | ip-address/mask | mac ieee-mac-address | summary] [local | dynamic | static | managed] Context show>router Description This command displays the router ARP table sorted by IP address. If no command line options are spec- ified, all ARP entries are displayed.
- Page 58 Show Commands =============================================================================== IP Address MAC Address Expiry Type Interface ------------------------------------------------------------------------------- 10.20.1.24 00:16:4d:23:91:b8 00h00m00s Oth system 10.10.4.11 00:03:fa:00:d0:c9 00h57m03s Dyn[I] to-core-sr1 10.10.4.24 00:03:fa:41:8d:20 00h00m00s Oth[I] to-core-sr1 ------------------------------------------------------------------------------- No. of ARP Entries: 3 =============================================================================== A:ALA-A# show router ARP 10.10.0.3 =============================================================================== ARP Table =============================================================================== IP Address MAC Address...
- Page 59 IP Router Configuration authentication Syntax authentication Context show>router Description This command enables the command to display authentication statistics. statistics Syntax statistics statistics interface [ip-int-name | ip-address] statistics policy name Context show>router>authentication Description This command displays interface or policy authentication statistics. Parameters interface [ip-int-name | ip-address] —...
- Page 60 Show Commands Syntax fib [ip-prefix/prefix-length [longer]] summary Context show>router Description This command displays the active FIB entries for a specific IOM. Parameters ip-prefix/prefix-length — Displays FIB entries only matching the specified ip-prefix and length. Values ipv4-prefix: a.b.c.d (host bits must be 0) ipv4-prefix-length:[ 0 —...
- Page 61 IP Router Configuration Label Description (Continued) Down — The IP interface is administratively disabled. Up — The IP interface is administratively enabled. Down — The IP interface is operationally disabled. Up — The IP interface is operationally disabled. Mode Network — The IP interface is a network/core IP interface. Port The physical network port associated with the IP interface.
- Page 62 Show Commands Label Description (Continued) Global If Index The global interface index of the IP router interface. If Type Network — The IP interface is a network/core IP interface. SNTP B.cast Displays if the broadcast-client global parameter is configured. QoS Policy The QoS policy ID associated with the IP interface.
-
Page 63: Sample Output
IP Router Configuration Summary IP Interface Output — The following table describes the summary output fields for the router IP interfaces. Label Description The router instance number. Instance The name of the router instance. Router Name The number of IP interfaces in the router instance. Interfaces The number of administratively enabled IP interfaces in the router Admin-Up... - Page 64 Show Commands route-table Syntax route-table [ip-prefix[/prefix-length] [longer | exact | protocol]] | [protocol protocol-name] [all]] route-table summary show>router Context Description This command displays the active routes in the routing table. If no command line arguments are specified, all routes are displayed, sorted by prefix. Parameters ip-prefix[/prefix-length] —...
- Page 65 IP Router Configuration Summary Route Table Output — Summary output for the route table displays the number of active routes and the number of routes learned by the router by protocol. Total active and available routes are also displayed. Sample Output A:ALA-A# show router route-table summary =============================================================================== Route Table Summary...
- Page 66 Show Commands static-arp Syntax static-arp [ip-addr | ip-int-name | mac ieee-mac-addr] Context show>router Description This command displays the router static ARP table sorted by IP address. If no options are present, all ARP entries are displayed. Parameters ip-addr — Only displays static ARP entries associated with the specified IP address. ip-int-name —...
- Page 67 IP Router Configuration 12.200.1.1 00:00:5a:01:00:33 00:00:00 Inv to-ser1 =============================================================================== A:ALA-A# A:ALA-A# show router static-arp to-ser1 =============================================================================== ARP Table =============================================================================== IP Address MAC Address Type Interface ------------------------------------------------------------------------------- 10.200.0.253 00:00:5a:40:00:01 00:00:00 Sta to-ser1 =============================================================================== A:ALA-A# A:ALA-A# show router static-arp mac 00:00:5a:40:00:01 =============================================================================== ARP Table =============================================================================== IP Address...
- Page 68 Show Commands static-route Syntax static-route [[ip-prefix /mask] | [preference preference] | [next-hop ip-address] | tag tag] Context show>router Description This command displays the static entries in the routing table. If no options are present, all static routes are displayed sorted by prefix. Parameters ip-prefix /mask —...
- Page 69 IP Router Configuration Label Description (Continued) N — The static route is inactive; for example, the static route is disabled Active or the next hop IP interface is down. Y — The static route is active. The number of routes displayed in the list. No.
- Page 70 Show Commands dscp-map Syntax dscp-map [dscp-name] Context show>router>sgt-qos Description This command displays DSCP to FC mappings. Parameters dscp-name — The specific DSCP name. Values be, ef, cp1, cp2, cp3, cp4, cp5, cp6, cp7, cp9, cs1, cs2, cs3, cs4, cs5, nc1, nc2, af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cp11, cp13, cp15, cp17, cp19, cp21, cp23, cp25, cp27, cp29, cp31, cp33, cp35, cp37, cp39, cp41, cp42, cp43, cp44, cp45, cp47, cp49, cp50, cp51, cp52, cp53, cp54, cp55, cp57, cp58, cp59,...
- Page 71 IP Router Configuration Sample Output Note that there are multiple instances of OSPF. OSPF-0 is persistent. OSPF-1 through OSPF-31 are present when that particular OSPF instance is configured. *A:Performance# show router status ================================================================ Router Status (Router: Base) ================================================================ Admin State Oper State ---------------------------------------------------------------- Router...
- Page 72 Show Commands tunnel-table Syntax tunnel-table [ip-address[/mask]] [protocol protocol | sdp sdp-id] [summary] Context show>router Description This command displays tunnel table information. Note that auto-bind GRE tunnels are not displayed in show command output. GRE tunnels are not the same as SDP tunnels that use the GRE encapsulation type.
- Page 73 IP Router Configuration A:ALA-A>config>service# show router tunnel-table summary =============================================================================== Tunnel Table Summary (Router: Base) =============================================================================== Active Available ------------------------------------------------------------------------------- =============================================================================== A:ALA-A>config>service# 7210 SAS M Router Configuration Guide Page 73...
- Page 74 Clear Commands Clear Commands router Syntax router Context clear>router Description This command clears for a the router instance in which they are entered. Parameters router-instance — Specify the router name or service ID. Values service-id: 1 — 2147483647 Default Base Syntax arp {all | ip-addr | interface {ip-int-name | ip-addr}} Context...
- Page 75 IP Router Configuration Debug Commands router Syntax router Context debug Description This command configures debugging for a router instance. Parameters router-instance — Specify the router name or service ID. Values router-name: Baseservice-id: 1 — 2147483647 Default Base Syntax Context debug>router Description This command configures debugging for IP.
- Page 76 Debug Commands interface Syntax [no] interface [ip-int-name | ip-address] Context debug>router>ip Description This command displays the router IP interface table sorted by interface index. Parameters ip-address — Only displays the interface information associated with the specified IP address. Values ipv4-address a.b.c.d (host bits must be 0) ip-int-name —...
- Page 77 IP Router Configuration route-table Syntax route-table [ip-prefix/prefix-length] route-table ip-prefix/prefix-length longer no route-table Context debug>router>ip Description This command configures route table debugging. Parameters ip-prefix — The IP prefix for prefix list entry in dotted decimal notation. Values ipv4-prefix a.b.c.d (host bits must be 0) ipv4-prefix-length 0 —...
- Page 78 Debug Commands Page 78 7210 SAS M Router Configuration Guide...
-
Page 79: Filter Policies
Filter Policies In This Chapter This chapter provides information about filter policies and management. Topics in this chapter include: • Filter Policy Configuration Overview on page 80 → Service and Network PortIP Interface-Based Filtering on page 80 → Filter Policy Entities on page 81 •... -
Page 80: Filter Policy Configuration Overview
Filter Policy Configuration Overview Filter Policy Configuration Overview Filter policies, also referred to as Access Control Lists (ACLs), are templates applied to services or network IP interfaces to control network traffic into (ingress) or out of (egress) a service access port (SAP) or network IP interface based on IP and MAC matching criteria. -
Page 81: Filter Policy Entities
Filter Policies Filter Policy Entities A filter policy compares the match criteria specified within a filter entry to packets coming through the system, in the order the entries are numbered in the policy. When a packet matches all the parameters specified in the entry, the system takes the specified action to either drop or forward the packet. - Page 82 Filter Policy Configuration Overview • SAP ingress — IP and MAC filter policies applied on the SAP ingress define the Service Level Agreement (SLA) enforcement of service packets as they ingress a SAP according to the filter policy match criteria. •...
-
Page 83: Creating And Applying Policies
Filter Policies Creating and Applying Policies Figure 3 displays the process to create filter policies and apply them to a service network IP interface. START SPECIFY SCOPE, DEFAULT ACTION, DESCRIPTION CREATE AN IP OR MAC FILTER (FILTER ID) CREATE FILTER ENTRIES (ENTRY ID) SPECIFY ACTION, PACKET MATCHING CRITERIA CREATE SERVICE ASSOCIATE FILTER ID... -
Page 84: Packet Matching Criteria
.Creating and Applying Policies Packet Matching Criteria Up to 65535 IP and 65535 MAC filter IDs (unique filter policies) can be defined. A maximum of 16384 filter entries can be defined in one filter at the same time. Each filter ID can contain up to 65535 filter entries. - Page 85 Filter Policies • TCP-ACK/SYN flags — Entering a TCP-SYN/TCP-ACK flag allows the filter to search for the TCP flags specified in these fields. 7210 SAS M Router Configuration Guide Page 85...
- Page 86 .Creating and Applying Policies MAC filter policies match criteria that associate traffic with an ingress or egress SAP. Matching criteria to drop or forward MAC traffic include: • Source MAC address and mask Entering the source MAC address range allows the filter to search for matching a source MAC address and/or range.
-
Page 87: Table 4: Dscp Name To Dscp Value Table
Filter Policies DSCP Values Table 4: DSCP Name to DSCP Value Table DSCP Name Decimal Hexadecimal Binary DSCP Value DSCP Value DSCP Value default af10 af11 af12 cp13 cp14 cp15 cp17 af21 cp19 af22 cp21 af23 cp23 cp25 af31 cp27 af32 cp29 7210 SAS M Router Configuration Guide... - Page 88 .Creating and Applying Policies Table 4: DSCP Name to DSCP Value Table (Continued) DSCP Name Decimal Hexadecimal Binary DSCP Value DSCP Value DSCP Value af33 cp21 cp33 af41 cp35 af42 cp37 af43 cp39 cp41 cp42 cp43 cp44 cp45 cp47 (cs6) cp49 cp50 cp51...
-
Page 89: Ordering Filter Entries
Filter Policies Ordering Filter Entries When entries are created, they should be arranged sequentially from the most explicit entry to the least explicit. Filter matching ceases when a packet matches an entry. The entry action is performed on the packet. 7210 SAS supports either drop or forward action.To be considered a match, the packet must meet all the conditions defined in the entry. - Page 90 .Creating and Applying Policies Figure 4 displays an example of several packets forwarded upon matching the filter criteria and several packets traversing through the filter entries and then dropped. FILTER ID: 5 SEARCH CRITERIA: DEFAULT ACTION: DROP Source Address: 10.10.10.103 FILTER ENTIES: 10 (ACTION: FORWARD) 20 (ACTION: FORWARD) Destination Address: 10.10.10.104...
-
Page 91: Applying Filters
Filter Policies Applying Filters After filters are created, they can be applied to the following entities: • Applying a Filter to a SAP on page 100 • Applying a Filter to a Network Portan IES Interfacea Network IP Interface on page 100 Applying a Filter to a SAP During the SAP creation process, ingress and egress filters are selected from a list of qualifying IP and MAC filters. -
Page 92: Configuration Notes
Configuration Notes Configuration Notes The following information describes filter implementation caveats: • Creating a filter policy is optional. • Associating a service with a filter policy is optional. • When a filter policy is configured, it should be defined as having either an exclusive scope for one-time use, or a template scope meaning that the filter can be applied to multiple SAPs. -
Page 93: Ip Filters
Filter Policies IP Filters • Define filter entry packet matching criteria — If a filter policy is created with an entry and entry action specified but the packet matching criteria is not defined, then all packets processed through this filter policy entry will pass and take the action specified. There are no default parameters defined for matching criteria. - Page 94 Configuration Notes Page 94 7210 SAS M Router Configuration Guide...
-
Page 95: Configuring Filter Policies With Cli
Filter Policies Configuring Filter Policies with CLI This section provides information to configure filter policies using the command line interface. Topics in this section include: • Basic Configuration on page 96 • Common Configuration Tasks on page 97 → Creating an IP Filter Policy on page 97 →... -
Page 96: Basic Configuration
Basic Configuration Basic Configuration The most basic IPand MAC filter policies must have the following: • A filter ID • Template scope, either exclusive or template • Default action, either drop or forward • At least one filter entry → Specified action, either drop or forward →... -
Page 97: Creating An Ip Filter Policy
Filter Policies Common Configuration Tasks This section provides a brief overview of the tasks that must be performed for both IP and MAC filter configurations and provides the CLI commands. To configure a filter policy, perform the following tasks: • Creating an IP Filter Policy on page 97 •... -
Page 98: Ip Filter Entry
Common Configuration Tasks IP Filter Entry Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. •... -
Page 99: Ip Entry Matching Criteria
Filter Policies IP Entry Matching Criteria Use the following CLI syntax to configure IP filter matching criteria: The following displays an IP filter matching configuration. *A:ALA-48>config>filter>ip-filter# info ---------------------------------------------- description "filter-mail" scope exclusive entry 10 create description "no-91" match dst-ip 10.10.10.91/24 src-ip 10.10.10.103/24 exit action forward... -
Page 100: Creating A Mac Filter Policy
Common Configuration Tasks Creating a MAC Filter Policy Configuring and applying filter policies is optional. Each filter policy must have the following: • The filter type specified (MAC). • A filter policy ID. • A default action, either drop or forward. •... - Page 101 Filter Policies Creating an ISID Filter The following displays an ISID filter configuration example: A;ALA-7>config>filter# info ---------------------------------------------- mac-filter 90 create description "filter-wan-man" scope template entry 1 create description "drop-local-isids" match isid 100 to 1000 exit action drop exit entry 2 create description "allow-wan-isids"...
-
Page 102: Mac Filter Entry
Common Configuration Tasks MAC Filter Entry Within a filter policy, configure filter entries which contain criteria against which ingress, egress, or network traffic is matched. The action specified in the entry determine how the packets are handled, either dropped or forwarded. •... -
Page 103: Mac Entry Matching Criteria
Filter Policies MAC Entry Matching Criteria The following displays a filter matching configuration example. A;ALA-7>config>filter>mac-filter# info ---------------------------------------------- description "filter-west" scope exclusive entry 1 create description "allow-104" match src-mac 00:dc:98:1d:00:00 ff:ff:ff:ff:ff:ff dst-mac 02:dc:98:1d:00:01 ff:ff:ff:ff:ff:ff exit action drop exit ---------------------------------------------- A:ALA-7>config>filter# 7210 SAS M Router Configuration Guide Page 103... -
Page 104: Table 6: Applying Filter Policies
Common Configuration Tasks Applying Filter Policies Filter policies can be associated with the following entities: Table 6: Applying Filter Policies IP Filter MAC Filter Epipe SAP Epipe SAP VPLS SAP VPLS SAP Network IP interface Apply IP and MAC Filter Policies The following example shows an example of applying an IP and a MAC filter policy to an Epipe service: CLI Syntax: config>service# epipe service-id... -
Page 105: Apply Filter Policies To A Network Ip Interface
Filter Policies Apply Filter Policies to a Network IP Interface IP filter policies can be applied to network IP interfaces. MAC filters cannot be applied to network IP interfaces Apply an IP Interface CLI Syntax: config>router# interface ip-int-name The following displays an IP filter applied to an interface at ingress. A:ALA-48>config>router# info #------------------------------------------ # IP Configuration... -
Page 106: Filter Management Tasks
Filter Management Tasks Filter Management Tasks This section discusses the following filter policy management tasks: • Renumbering Filter Policy Entries on page 121 • Modifying an IP Filter Policy on page 123 • Modifying a MAC Filter Policy on page 126 •... - Page 107 Filter Policies The following displays the original filter entry order on the left side and the reordered filter entries on the right side: A:ALA-7>config>filter# info A:ALA-7>config>filter# info ---------------------------------------------- ---------------------------------------------- ip-filter 11 create ip-filter 11 create description "filter-main" description "filter-main" scope exclusive scope exclusive entry 10 create entry 1 create...
-
Page 108: Modifying An Ip Filter Policy
Filter Management Tasks Modifying an IP Filter Policy To access a specific IP filter, you must specify the filter ID. Use the form of the command to remove the command parameters or return the parameter to the default setting. Example config>filter>ip-filter# description "New IP filter info"... - Page 109 Filter Policies dst-ip 10.10.10.91/24 src-ip 10.10.0.200/24 exit action forward exit exit ---------------------------------------------- A:ALA-7>config>filter# 7210 SAS M Router Configuration Guide Page 109...
-
Page 110: Modifying A Mac Filter Policy
Filter Management Tasks Modifying a MAC Filter Policy To access a specific MAC filter, you must specify the filter ID. Use the form of the command to remove the command parameters or return the parameter to the default setting. Example config>filter# mac-filter 90 config>filter>mac-filter# description "New filter info"... -
Page 111: From An Ingress Sap
Filter Policies Detaching/Deleting a Filter Policy Before you can delete a filter, you must remove the filter association from the applied ingress and egress SAPs and network interfaces. • From an Ingress SAP on page 127 • From an Egress SAP on page 127 •... -
Page 112: From A Network Interface
Filter Management Tasks From a Network Interface To delete a filter from a network interface, enter the following CLI commands: CLI Syntax: config>router# interface ip-int-name ingress Example: config>router>if>ingress# no filter ip 2 config>router>if>ingress#exit Page 112 7210 SAS M Router Configuration Guide... -
Page 113: From The Filter Configuration
Filter Policies From the Filter Configuration After you have removed the filter from the SAP, use the following CLI syntax to delete the filter. CLI Syntax: config>filter# no ip-filter filter-id CLI Syntax: config>filter# no mac-filter filter-id Example config>filter# no ip-filter 11 config>filter# no mac-filter 13 7210 SAS M Router Configuration Guide Page 113... -
Page 114: Copying Filter Policies
Filter Management Tasks Copying Filter Policies When changes are made to an existing filter policy, they are applied immediately to all services where the policy is applied. If numerous changes are required, the policy can be copied so you can edit the “work in progress”... -
Page 115: Filter Command Reference
Filter Policies Filter Command Reference Command Hierarchies • IP Filter Policy Commands on page 115 • MAC Filter Policy Commands on page 118 • Generic Filter Commands on page 120 • Show Commands on page 120 • Clear Commands on page 120 •... - Page 116 Filter Command Reference — no option-present — src-ip{ip-address/mask | ip-address netmask} — no src-ip — src-port {{eq} src-port-number — no src-port — tcp-ack {true | false} — no tcp-ack — tcp-syn {true | false} — no tcp-syn Page 116 7210 SAS M Router Configuration Guide...
- Page 117 Filter Policies — MAC Filter Policy Commands config — filter — mac-filter filter-id [create] — no mac-filter filter-id — description description-string — no description — default-action {drop | forward} — renum old-entry-id new-entry-id — scope {exclusive | template} — no scope —...
-
Page 118: Monitor Commands
Filter Command Reference Generic Filter Commands config — filter — copy ip-filter | mac-filter src-filter-id [src-entry src-entry-id] to dst-filter-id [dst-entry dst- entry-id] [overwrite] Show Commands show — filter — download-failed — [ip-filter-id [entry entry-id] [association | counters] — {mac-filter-id [entry entry-id] [association | counters]} Clear Commands clear —... - Page 119 Filter Policies Configuration Commands Generic Commands description Syntax description string no description Context config>filter>ip-filter config>filter>ip-filter>entry config>filter>mac-filter config>filter>mac-filter>entry Description This command creates a text description stored in the configuration file for a configuration context. The description command associates a text string with a configuration context to help identify the context in the configuration file.
-
Page 120: Global Filter Commands
Global Filter Commands Global Filter Commands ip-filter Syntax [no] ip-filter filter-id [create] Context config>filter Description This command creates a configuration context for an IP filter policy. IP-filter policies specify either a forward or a drop action for packets based on the specified match criteria. - Page 121 Filter Policies policy. Use the config filter copy command to maintain policies in this manner. The no form of the command deletes the mac-filter policy. A filter policy cannot be deleted until it is removed from all SAP where it is applied. Parameters filter-id —...
-
Page 122: Filter Policy Commands
Filter Policy Commands Filter Policy Commands default-action Syntax default-action {drop | forward} Context config>filter>ip-filter config>filter>mac-filter Description This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter. When multiple default-action commands are entered, the last command will overwrite the previous command. -
Page 123: General Filter Entry Commands
Filter Policies General Filter Entry Commands entry Syntax entry entry-id [time-range time-range-name] [create] no entry entry-id Context config>filter>ip-filter config>filter>mac-filter Description This command creates or edits an IP or MAC filter entry. Multiple entries can be created using unique entry-id numbers within the filter. The implementation exits the filter on the first match found and executes the actions in accordance with the accompanying action command. -
Page 124: Ip Filter Entry Commands
IP Filter Entry Commands IP Filter Entry Commands action Syntax action [drop] action forward action nat no action Context config>filter>ip-filter>entry Description This command specifies to match packets with a specific IP option or a range of IP options in the first option of the IP header as an IP filter match criterion. - Page 125 Filter Policies protocol-id — Configures the decimal value representing the IP protocol to be used as an IP filter match criterion. Well known protocol numbers include ICMP(1), TCP(6), UDP(17). The no form the command removes the protocol from the match criteria. Values 0 —...
-
Page 126: Mac Filter Entry Commands
MAC Filter Entry Commands MAC Filter Entry Commands action Syntax action drop action forward no action Context config>filter>mac-filter>entry Description This command configures the action for a MAC filter entry. The action keyword must be entered for the entry to be active. Any filter entry without the action keyword will be considered incomplete and will be inactive. - Page 127 Filter Policies with the match criteria is executed. If more than one match criteria (within one match statement) are configured then all criteria must be satisfied (AND function) before the action associated with the match will be executed. A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.
-
Page 128: Ip Filter Match Criteria
IP Filter Match Criteria IP Filter Match Criteria dscp Syntax dscp dscp-name no dscp Context config>filter>ip-filter>entry>match Description This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion. The no form of the command removes the DSCP match criterion. Default no dscp Parameters... - Page 129 Filter Policies dst-port Syntax dst-port {eq} dst-port-number no dst-port Context config>filter>ip-filter>entry>match Description This command configures a destination TCP or UDP port number for an IP filter match criterion. The no form of the command removes the destination port match criterion. Default none Parameters...
- Page 130 IP Filter Match Criteria The no form of the command removes the criterion from the match entry. Default no icmp-code Parameters icmp-code — The ICMP code values that must be present to match. Values 0 — 255 icmp-type Syntax icmp-type icmp-type no icmp-type Context config>filter>ip-filter>entry>match...
- Page 131 Filter Policies src-ip Syntax src-ip {ip-address[/mask]} [netmask] no src-ip Context config>filter>ip-filter>entry>match Description This command configures a source IP address range to be used as an IP filter match criterion. To match on the source IP address, specify the address and its associated mask, e.g. 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used.
- Page 132 IP Filter Match Criteria tcp-ack Syntax tcp-ack {true | false} no tcp-ack Context config>filter>ip-filter>entry>match Description This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion. The no form of the command removes the criterion from the match entry.
-
Page 133: Mac Filter Match Criteria
Filter Policies MAC Filter Match Criteria dot1p Syntax dot1p ip-value [mask] no dot1p Context config>filter>mac-filter>entry Description Configures an IEEE 802.1p value or range to be used as a MAC filter match criterion. When a frame is missing the 802.1p bits, specifying an dot1p match criterion will fail for the frame and result in a non-match for the MAC filter entry. - Page 134 MAC Filter Match Criteria dst-mac Syntax dst-mac ieee-address [mask] no dst-mac Context config>filter>mac-filter>entry Description Configures a destination MAC address or range to be used as a MAC filter match criterion. The no form of the command removes the destination mac address as the match criterion. Default no dst-mac Parameters...
- Page 135 Filter Policies that are exclusive based on the frame format. The no form of the command removes the previously entered etype field as the match criteria. Default no etype Parameters ethernet-type — The Ethernet type II frame Ethertype value to be used as a match criterion expressed in hexadecimal.
- Page 136 MAC Filter Match Criteria ieee-address-mask — This 48-bit mask can be configured using: Format Style Format Syntax Example Decimal DDDDDDDDDDDDDD 281474959933440 Hexadecimal 0xHHHHHHHHHHHH 0x0FFFFF000000 Binary 0bBBBBBBB...B 0b11110000...B To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000 Default 0xFFFFFFFFFFFF (exact match)
-
Page 137: Policy And Entry Maintenance Commands
Filter Policies Policy and Entry Maintenance Commands copy Syntax copy {ip-filter | mac-filter} source-filter-id dest-filter-id dest-filter-id [overwrite] Context config>filter Description This command copies existing filter list entries for a specific filter ID to another filter ID. The copy command is a configuration level maintenance tool used to create new filters using existing filters. It also allows bulk modifications to an existing policy with the use of the overwrite keyword. - Page 138 Policy and Entry Maintenance Commands new-entry-id — Enter the new entry-number to be assigned to the old entry. Values 1 — 65535 Page 138 7210 SAS M Router Configuration Guide...
- Page 139 Filter Policies Show Commands download-failed Syntax download-failed Context show>filter Description This command shows all filter entries for which the download has failed. Output download-failed Output — The following table describes the filter download-failed output. Label Description Displays the filter type. Filter-type Displays the ID of the filter.
- Page 140 Show Commands counters — Displays counter information for the specified filter ID. Note that egress counters count the packets without Layer 2 encapsulation. Ingress counters count the packets with Layer 2 encapsulation. Output Show Filter (no filter-id specified) — The following table describes the command output for the command when no filter ID is specified.
- Page 141 Filter Policies Label Description (Continued) Applied The filter policy ID has not been applied. No — The filter policy ID is applied. Yes — Def. Action The default action for the filter ID for packets that do not Forward — match the filter entries is to forward.
- Page 142 Show Commands Label Description (Continued) Matches the ACK bit being set or reset in the control bits of the On — TCP header of an IP packet. Egr. Matches The number of egress filter matches/hits for the filter entry. Sample Output A:ALA-49>config>filter# show filter ip 3 =============================================================================== IP Filter...
- Page 143 Filter Policies Output Show Filter (with time-range specified) — If a time-range is specified for a filter entry, it is displayed. A:ALA-49# show filter ip =============================================================================== IP Filter =============================================================================== Filter Id : 10 Applied : No Scope : Template Def. Action : Drop Entries -------------------------------------------------------------------------------...
- Page 144 Show Commands Output Show Filter Associations — The following table describes the fields that display when the associations keyword is specified. Label Description The IP filter policy ID. Filter Id The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive.
- Page 145 Filter Policies Output Show Filter Associations (with TOD-suite specified) — If a filter is referred to in a TOD Suite assignment, it is displayed in the show filter associations command output: A:ALA-49# show filter ip 160 associations =============================================================================== IP Filter =============================================================================== Filter Id : 160...
- Page 146 Show Commands Syntax mac [mac-filter-id [associations | counters] [entry entry-id]] Context show>filter Description This command displays MAC filter information. Parameters mac-filter-id — Displays detailed information for the specified filter ID and its filter entries. Values 1— 65535 associations — Appends information as to where the filter policy ID is applied to the detailed filter policy ID output.
- Page 147 Filter Policies Filter ID Specified — When the filter ID is specified, detailed filter information for the filter ID and its entries is produced. The following table describes the command output for the command. Label Description The MAC filter policy ID. MAC Filter Filter Id The filter policy is of type Template.
- Page 148 Show Commands Label Description (Continued) The number of ingress filter matches/hits for the filter entry. Ing. Matches The number of egress filter matches/hits for the filter entry. Egr. Matches Sample Detailed Output =============================================================================== Mac Filter : 200 =============================================================================== Filter Id : 200 Applied : No...
- Page 149 Filter Policies Sample Output A:ALA-49# show filter mac 3 associations =============================================================================== Mac Filter =============================================================================== Filter ID : 3 Applied : Yes Scope : Template Def. Action : Drop Entries ------------------------------------------------------------------------------- Filter Association : Mac ------------------------------------------------------------------------------- Service Id: 1001 Type : VPLS - SAP 1/1/1:1001 (Egress) ===============================================================================...
- Page 150 Show Commands Label Description The MAC filter policy ID. Mac Filter Filter Id The filter policy is of type Template. Scope Template — The filter policy is of type Exclusive. Exclusive — The MAC filter policy description. Description The filter policy ID has not been applied. Applied No —...
- Page 151 Filter Policies =============================================================================== A:ALA-49# 7210 SAS M Router Configuration Guide Page 151...
- Page 152 Show Commands Clear Commands Syntax ip ip-filter-id [entry entry-id] [ingress | egress] Context clear>filter Description Clears the counters associated with the IP filter policy. By default, all counters associated with the filter policy entries are reset. The scope of which counters are cleared can be narrowed using the command line parameters.
- Page 153 Filter Policies Monitor Commands filter Syntax filter ip ip-filter-id entry entry-id [interval seconds] [repeat repeat] [absolute | rate] Context monitor Description This command monitors the counters associated with the IP filter policy. Parameters ip-filter-id — The IP filter policy ID. Values 1 —...
- Page 154 Show Commands interval — Configures the interval for each display in seconds. Default 5 seconds Values 3 — 60 repeat repeat — Configures how many times the command is repeated. Default Values 1 — 999 absolute — When the absolute keyword is specified, the raw statistics are displayed, without pro- cessing.
-
Page 155: Common Cli Command Descriptions
Common CLI Command Descriptions In This Chapter This section provides information about common Command Line Interface (CLI) syntax and command usage. Topics in this chapter include: • SAP syntax on page 156 7210 SAS M Router Configuration Guide Page 155... -
Page 156: Common Service Commands
Common CLI Command Descriptions Common Service Commands SAP syntax Syntax [no] sap sap-id Description This command specifies the physical port identifier portion of the SAP definition. Parameters sap-id — Specifies the physical port identifier portion of the SAP definition. The sap-id can be configured in one of the following formats: Type Syntax Example... -
Page 157: Standards And Protocol Support
Standards and Protocol Support Standards Compliance RFC 3164 Syslog draft-ietf-secsh-architecture.txt SSH RFC 3273 HCRMON-MIB IEEE 802.1d Bridging Protocol Architecture RFC 3411 An Architecture for IEEE 802.1p/Q VLAN Tagging draft-ietf-secsh-userauth.txt SSH Describing Simple Network IEEE 802.1w Rapid Spanning Tree Authentication Protocol Management Protocol (SNMP) Protocol Management Frameworks... - Page 158 Standards and Protocols Page 154 Standards and Protocols...
-
Page 159: Sas M Router Configuration Guide
NDEX router ID service management tasks Filters system interface overview system name applying filter to network ports to SAP entities entries filter entry ordering filter types matching criteria DSCP values packets policies policy entries port-based filtering scope services configuring basic IP filter policy MAC filter policy applying... - Page 160 7210-SAS M Router Configuration Guide Page 156...