Filters and QoS for ERS 8600 R- Series Modules Technical

Filters and QoS for ERS 8600 R-Series Modules Technical Configuration Guide

Avaya Data Solutions Document Date: July 2010 Document Number: NN48500-541 Document Version: 1.4

Ethernet Routing Switch 8600 R-Series

Engineering


2 July 2010

avaya.com

© 2010 Avaya Inc. All Rights Reserved.

Notices While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes.

Documentation disclaimer Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya‘s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User.

Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages.

Warranty Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya‘s standard warranty language, as well as information regarding support for this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya.

Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ("AVAYA").

Copyright Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law.

Third Party Components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements ("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://support.avaya.com/Copyright.

Trademarks The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-Avaya trademarks are the property of their respective owners.

Downloading documents For the most current versions of documentation, see the Avaya Support. Web site: http://www.avaya.com/support

Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http://www.avaya.com/support


3 July 2010

avaya.com

Revision Control

No Date Version Revised by Remarks


4 July 2010

avaya.com

Table of Contents

Figures ......................................................................................................................................................... 6

Tables ........................................................................................................................................................... 7

Document Updates ..................................................................................................................................... 8

1. Overview: R-Module Filter Specifications ........................................................................................ 9

1.1 Access Control Templates (ACT).................................................................................................. 9

1.2 Access Control Entry (ACE) ........................................................................................................ 12

1.3 Access Control Lists (ACL) ......................................................................................................... 14

2. Configuring ACLs ............................................................................................................................. 15

2.1 ACT – Access Control Templates ............................................................................................... 15

2.2 ACL ............................................................................................................................................. 17

2.3 ACE – Access Control Entry ....................................................................................................... 20

3. R-Module Queuing ............................................................................................................................ 27

3.1 Overview ..................................................................................................................................... 27

3.2 Default Packet QoS to Egress Queue Mapping .......................................................................... 28

3.3 Default Ingress p-bit to Internal QoS Level and Egress Queue Mapping ................................... 29

3.4 Gigabit Ethernet Default Ingress DSCP to Egress Queue Mapping ........................................... 29

3.5 Egress Traffic Shaping ................................................................................................................ 30

3.6 Queue Set Configuration Commands ......................................................................................... 33

4. Ingress Traffic Policing .................................................................................................................... 39

4.1 Policing Configuration ................................................................................................................. 40

5. QoS Concepts.................................................................................................................................... 42

5.1 Changing the DiffServ Port Type ................................................................................................ 42

5.2 L2 and L3 Trusted and Untrusted Ports ...................................................................................... 42

5.3 QoS for R-Mode Modules ........................................................................................................... 52

5.4 Changing the Default Port or VLAN QoS Levels ........................................................................ 53

5.5 Adding a MAC QoS Level ........................................................................................................... 54

6. Configuration Examples ................................................................................................................... 55

6.1 Configuration Example 1: Marking and Dropping Traffic ............................................................ 55

6.2 Configuration Example 2: Filter Ranges and Policing ................................................................ 64

6.3 Configuration Example 3: Setting Egress Queue Weight and Shaping Rate ............................. 67

6.4 Configuration Example – Changing Egress Port Shaper ............................................................ 72

6.5 Configuration Example – Deny ARP/MAC Spoofing Attack in a Layer 2 Environment .............. 72

6.6 Configuration Example – DoS Attacks ........................................................................................ 76


5 July 2010

avaya.com

6.7 Configuration Example – Port Mirror with ACL‘s ......................................................................... 84

7. Appendix A – Configuration Files ................................................................................................... 89

7.1 From Example 6.1 ....................................................................................................................... 89

7.2 From Example 6.2 ....................................................................................................................... 90

7.3 From Example 6.3 ....................................................................................................................... 91

7.4 From Example 6.4 ....................................................................................................................... 91

7.5 From Example 6.6 ....................................................................................................................... 92

8. Appendix B – Pre-Defined ACT List ................................................................................................ 94

9. Appendix C – QoS Details ................................................................................................................ 96

9.1 Ethernet 802.1Q Tag in Ethernet Header ................................................................................... 96

9.2 DiffServ: QoS at Layer 3 ............................................................................................................. 97

9.3 Ethernet Routing Switch (ERS) 8600 DSCP ToS/IP Mapping .................................................... 98

10. Appendix D – Hardware Overview ............................................................................................... 99

11. Software Baseline: ...................................................................................................................... 100

Reference Documentation: .................................................................................................................... 101

12. Customer service ........................................................................................................................ 102

12.1 Getting technical documentation ............................................................................................... 102

12.2 Getting product training ............................................................................................................. 102

12.3 Getting help from a distributor or reseller .................................................................................. 102

12.4 Getting technical support from the Avaya Web site .................................................................. 102


6 July 2010

avaya.com

Figures

Figure 1: ACT, ACL, and ACE Relationship ................................................................................................. 9

Figure 2: Egress Traffic Shaping ................................................................................................................ 30

Figure 3: Ingress Policing (L2-L7) ............................................................................................................... 39

Figure 4: DiffServ Network Model ............................................................................................................... 42

Figure 5: Diffserv Access Mode – 802.1p Override .................................................................................... 45

Figure 6: DiffServ Core Mode – 802.1p Override Enabled ......................................................................... 46

Figure 7: DiffServ Core Ports – 802.1p Override Disable ........................................................................... 47

Figure 8: DiffServ Access Mode – 802.1p Override Disabled .................................................................... 48

Figure 9: DiffServ Disabled ......................................................................................................................... 49

Figure 10: Access Control Lists .................................................................................................................. 50

Figure 11: Access Control Lists Continued ................................................................................................. 51

Figure 12: Example 1 Diagram ................................................................................................................... 55

Figure 13: Filter Ranges and Policing ......................................................................................................... 64

Figure 14: Deny ARP/MAC Spoofing Attack ............................................................................................... 72

Figure 15: 802.1Q Ethernet Header ............................................................................................................ 96

Figure 16: DiffServ Code Point ................................................................................................................... 97


7 July 2010

avaya.com

Tables

Table 1: ACT Attributes ............................................................................................................................... 10

Table 2: Global ACL Actions ....................................................................................................................... 13

Table 3: Ethernet Interface Type Default Internal QoS Mapping ................................................................ 28

Table 4: Default p-bit Interface Internal QoS Level and Egress Queue Mapping....................................... 29

Table 5: L2 and L3 Trusted Port Actions .................................................................................................... 43

Table 6: L2 and L3 Untrusted Port Actions ................................................................................................. 44

Table 7: L2 Trusted and L3 Untrusted Port Actions .................................................................................... 44

Table 8: L2 Untrusted and L3 Trusted Port Actions .................................................................................... 44

Table 9: QoS Features Supported .............................................................................................................. 52

Table 10: PP8600 DSCP ToS/IP Mapping ................................................................................................. 98


8 July 2010

avaya.com

Document Updates

July 30, 2010


9 July 2010

avaya.com

1. Overview: R-Module Filter Specifications

The Ethernet Routing Switch (ERS) 8600 in release 4.0 supports Access Control Lists (ACLs) for filtering. The implementation of ACL‘s is only applicable to the new R-modules. None of the legacy Ethernet Routing Switch (ERS) 8600 filters are supported on the R-modules likewise none of the ACLs are supported on the legacy modules.

Figure 1: ACT, ACL, and ACE Relationship

ACLs are supported for both ingress and egress and can be applied to a port or a VLAN. Hence, four types of ACLs are supported, two for ingress port or VLAN and two for egress port or VLAN. Up to 2000 ACEs can be configured per port for ingress and egress (1000 VLAN and 1000 port).

An ACL is made up of a list of filter rules called Access Control Entry‘s (ACEs) that define a pattern found in a packet with a desired behavior for these packets. An ACE supports various operations such as range, equal, greater, less, not, wildcard or pattern match. As a packet comes through an interface configured with an ACL, the matching ACEs are scanned for that packet and the corresponding actions for those ACEs are applied according to their precedence.

1.1 Access Control Templates (ACT)

ACTs are used to pick the attributes and pattern information that will be used in the ACEs of a particular ACL. In release 4.0, you can create a new ACT or use one of the many pre-defined ACT‘s. The pre-defined ACT‘s can be viewed via Device Manager or CLI. These ACTs can be used by one or more ACL‘s. Once the ACL is created with a particular ACT, the user will not be able to modify the ACT. ACT Ids, from 1 to 4096, are used throughout the system and an optional ACT name can also be specified.

An ACT can only be deleted when no ACLs are using that ACT.

The ACT can also contain pattern parameters used for offset filtering. When setting up an ACT for offset filtering, you can specify the base of where in the packet you wish to start filtering and the offset length.

VLAN

ACE-N ACE-3

ACE-2

ACE-1

ACE has list

of ports and MLTs

ACE-N ACE-3

ACE-2

ACE-1

ACT-1

Ingress ACL-3

Ingress ACL-1

Egress ACL-2

Port ACT-2


10 July 2010

avaya.com

NOTE: When setting up a new ACT, it is recommended to choose only the attributes you plan to use when setting up the ACEs. For each additional attribute included into an ACT, an additional lookup has to be performed. Therefore, to enhance performance, it is recommended to keep the ACT attribute set as small as possible. For example, if you plan to filter on source IP, destination IP, and DSCP, only these IP attributes should be selected when setting up the ACT. Note that the number of ACE‘s within and ACL does not impact performance.

1.1.1 ACT Attributes

The following ACT attributes are supported:

Arp operation o If the packet is an Arp packet, then this attribute is used to match on the ARP operation (arp

request or arp response). Only operator supported for this attribute is ―eq‖.

Ethernet Attributes o Specifies one of the following Ethernet attributes: none, source MAC, destination MAC,

etherType, port, VLAN, or VLAN Tag Priority.

IP Attributes o Specifies one or more of the following IP attributes: none, source IP, destination IP, IP

fragmentation flag, IP Options, IP protocol type, or DSCP

Protocol Attributes

o Specifies one or more of the following Protocol attributes: none, TCP source port, UDP source port, TCP destination port, UDP destination port, TCP flags, or ICMP message flags

1.1.2 ACT Attributes for Off-Set Filtering

An ACT can also contain pattern parameters used for offset filtering. If setting up an ACT pattern for offset pattern matching, you first need to select the base where to start the off-set filter. Next, you need to select the offset bit position expressed in bits and the offset length also expressed in bits.

NOTE: Up to three ACT attributes can be configured per ACL. If you required more than three ACT attributes, a Port and VLAN ACL type can be combined to support up to six ACT attributes.

NOTE: Although the pattern length for each ACT attribute can be up to 56 bits, two or three ACT attributes can be combined in an ACT to filter on a pattern length greater than 56 bits. For example, two ACT attributes can be combined to allow for filtering on a pattern up to 112 bits.

The following table displays the pattern options available.

Table 1: ACT Attributes

Field Description

Base Specifies one of the following as the user-defined header for the ACEs of the ACL:

Item Description

etherBegin Beginning of the ethernet packet

macDstBegin Start of mac destination field in the ethernet header

macSrcBegin Start of source mac field in the ethernet header

ethTypeLenBegin Start of the type/length field in the ethernet header


11 July 2010

avaya.com

Field Description

arpBegin Beginning of the Hardware Address type field in the arp packet

ipHdrBegin Beginning of the IP header (version field)

ipOptionsBegin Beginning of the IP options field in the ip header. This is normally after the IP destination address. If the packet does not have IP options, meaning the header length is equal to 5, we do not apply the filter. The filter will only be applied if the header length is greater than 5.

ipPayloadBegin Begins right after the IP header. This is after the IP destination address. If the packet has IP options, then it is after the ip options plus padding.

ipTosBegin Beginning of the TOS byte in the IP header

ipProtoBegin Beginning of the IP Protocol Type in the IP Header (starting with 9th byte )

ipSrcBegin Beginning of the source IP field in the IP header

ipDstBegin Beginning of the destination IP field in the IP header

tcpBegin Beginning of the source port field in the tcp header

tcpSrcportBegin Beginning of the source port field in the tcp header

tcpDstportBegin Beginning of the destination port field in the tcp header

tcpFlagsEnd End of the tcp flags field in the tcp header (beginning of the window field)

udpBegin Beginning of the source port field in the UDP header

udpSrcportBegin Beginning of the source port field in the UDP header

udpDstportBegin Beginning of the destination port field in the UDP header

etherEnd End of ethernet header

ipHdrEnd End of ip header (after ip options and padding)

icmpMsgBegin Beginning of the ICMP header (type field in the icmp msg header)

tcpEnd End of tcp header

updEnd End of udp header

Offset Set the offset in bits to the beginning offset of the user-defined field with the selected header option as a base. Valid values here are from 0-76800.

Length Sets the number of bits to extract from the beginning of the offset. Valid values here are from 1-56.


12 July 2010

avaya.com

1.2 Access Control Entry (ACE)

ACEs are configured with a set of values along with the actions to be taken if a packet matches a particular ACE. If an attribute specified in the ACT does not have a value specified in the ACE, then that attribute value will be treated as a wildcard.

The attributes that can be specified for an ACE are divided into several categories since they cannot be specified on the same command line. The categories are Ethernet, Arp, IP, Protocol and Advanced. The actions can be specified by the ―action‖ and ―debug‖ commands.

The values for the attributes can be specified using several operators like equal-to, not-equal-to, less-than-or-equal-to, greater-than-or-equal-to. If the equal-to and not-equal-to operators are used, the user can specify a list and/or a range of values. A single value has to be specified for the other 2 operators. There are some special operators that are used with specific attributes. They are match-any, match-all, prefix-list and any. These operators will be discussed later in this section.

Since an ACE configuration takes several command lines, the default state of the ACE when it is created is ―disabled‖. An explicit ―enable‖ command has to be issued to enable the ACE. The user will not be able to enable the ACE until at least the ―action‖ command has been entered. Note that multiple entries for the same ACE can be entered in one command line using a semicolon ―;‖ between entries.

After the ACE is enabled, the ACE cannot be modified except for the ―debug‖ actions. The ACE has to be disabled, modified and then re-enabled to make any modifications.

If L3 and L4 attributes are configured, ACEs are applied to the non-fragments and the initial fragment of an IP packet.

A maximum of 500 port ACEs and 500 VLAN ingress ACEs plus a total of 500 port and 500 VLAN egress ACEs can be configured per port for a total of 2000 ACEs per port. The total number of ACE‘s that can be configured is 10,000 ingress and 10,000 egress. Up to 1,000 ingress and 1,000 egress ACE‘s can have the count flag enabled.

1.2.1 ACE Actions

An ACL can contain multiple ACEs where each ACE can have a corresponding action of permit or deny. The default action of permit is applied when there are no ACE matches for a particular packet. An ACL can also have a global action which is applied to all ACEs applied to this ACL. The default global action is none. You can modify the default action and global action at any time.


13 July 2010

avaya.com

Table 2: Global ACL Actions

Ingress (port, VLAN-based)

Match criteria

MAC, p-bits, VLAN tag,

ARP, IP, TOS, DSCP,

TCP, and UDP

Match pattern

Base, offset, and

length

Action

Permit, deny, redirect to next hop, redirect to MLT index, remark-dot1p/DSCP, police, send to egress queue, mirror count

Egress (port, VLAN-based)

Match criteria

MAC, p-bits, VLAN tag,

ARP, IP, TOS, DSCP,

TCP, and UDP

Match pattern

Base, offset, and

length

Action

Permit, deny, mirror

Priority

Based on ID (portACL before VlanACL)

If a packet matches multiple ACEs, the non-contradicting actions of all ACEs according to their precedence (ACE Id) will be taken. If a stop-on-match flag is specified for an ACE, filtering will stop and the specified action for this ACE will be taken.

1.2.2 Priority of ACEs

If a packet matches multiple ACEs in an ACL, the actions of the highest priority ACE will be applied. The actions of the remaining ACEs will be applied only if the mode is the same as the highest priority ACE, and the actions were non-overlapping with the highest priority ACE.

Here are a few examples:

Example 1 Example 2

ACE 1 - mode permit, actions - police

ACE 2 - mode deny, actions mirror

ACE 1 - mode deny, actions mirror


We apply the actions of only ACE 1 We apply the actions of only ACE 1

Example 3 Example 4


ACE 2 - mode deny, actions - mirror

ACE 3 - mode permit, actions - police, mirror

ACE 4 - mode permit, actions remark-dscp


ACE 2 - mode deny, actions - mirror

ACE 3 - mode permit, actions - mirror, stop-on-match

ACE 4 - mode permit, actions remark-dscp

We apply the actions of ACE 1 and ACE 4 The actions of ACE1 and ACE3 are applied


14 July 2010

avaya.com

1.3 Access Control Lists (ACL)

ACLs are used to group filter rules called ACEs. An ACL can be applied to a VLAN or a Port on the Ingress or Egress. A VLAN or a Port can only be associated with one Ingress ACL and one Egress ACL.

When an ACL is created, by default, it will come up in the enabled state. If an ACL is disabled, all ACEs within that ACL will be disabled. When the ACL is re-enabled again, the ACEs that were enabled previously will get enabled.

If an ACL is deleted, all ACEs within the ACL will also be deleted.

Since both port based and vlan based ACLs are supported, depending on the configuration, the actions of both ACLs to a particular packet may be applied. In this case, the port based ACL actions get preference, and will be applied first.

The default action is applied when there are no ACE matches for a particular packet. The global actions will be applied to all ACEs that match a particular packet. The default action value is ―permit‖, and the default global action is ―none‖. The default action and global action can be modified anytime.

1.3.1 Priority of ACLs

A user can configure both port based ACLs and vlan based ACLs. It is advisable to apply only one type of ACL to a packet, however, depending on the configuration, there may be cases where the actions of both port based ACLs and vlan based ACLs have to be applied to a packet. In this case, we apply the port based ACL actions first. We will apply vlan based ACL actions only if the mode is same as port based ACL and the vlan based ACL has ACEs with non-overlapping actions with the port based ACL actions.

Here are a few examples:

Example 1 Example 2

Port ACL - mode permit, some actions

Vlan ACL - mode deny, some actions

Port ACL:

o ACE 1: mode permit, action – police

Vlan ACL:

o ACE 1 : mode permit, action – police

o ACE 2 : mode permit, action remark-dscp

We apply the actions of Port ACL only We apply the actions of port ACL and actions of ACE 2 of VLAN ACL.

Example 3

Port ACL:

o ACE 1: mode permit, action – police

Vlan ACL:

o ACE 1 : mode permit, action - police, remark-dscp

The actions of port ACL are only applied.


15 July 2010

avaya.com

2. Configuring ACLs

To configure an ACL, you need to configure the following items in the following order:

1. Create an ACT or use one of the pre-defined ACT‘s

2. Create an ACL using an ACT from Step 1 above.

3. Add the appropriate ACE‘s to the ACL created in Step 2 above.

2.1 ACT – Access Control Templates

As pointed out in section 1.1, there are several pre-defined ACT‘s available. You have the choice of using an existing ACT or if you wish, create a new one. To view the ACT list, enter the following command:

ERS-8610:5# show filter act

Please see Appendix B showing output from the show filter act command.

To create a new ACT, enter the following command:

ERS-8610:5# config filter act <act id, 1-4096> ?

Sub-Context: pattern

Current Context:

apply

arp <arp-attributes>

create [name <value>]

delete

ethernet <ethernet-attributes>

info

ip <ip-attributes>

name <value>

protocol <protocol-attributes>

Where:

Field Description

ActId Identifies the ACT bound to this interface. The range is from 1-4096.

Name Specifies a descriptive, user-defined name for the ACT entry.

ArpAttrs Specifies one of the following ARP attributes:

none

operation (This is the only valid option for ARP attributes).

EthernetAttrs Specifies one or more of the following Ethernet attributes:


16 July 2010

avaya.com

Field Description

none

srcMac

dstMac

etherType

port

vlan

vlanTagPrio

IpAttrs Specifies one or more of the following IP attributes:

none

scrip

dstip

ipFragFlag

ipOptions

ipProtoType

dscp

ProtocolAttrs Specifies one or more of the following protocol attributes:

none

tcpSrcPort

udpSrcPort

tcpDstPort

udpDstport

tcpFlags

icmpMsgFlags

Example:

CLI:

For example, assume we wish to add a new ACT to select src and dst MAC, EtherType, VLAN and VLAN priority.

ERS-8610:5# config filter act 10 create

ERS-8610:5# config filter act 10 ethernet srcMac, dstMac, etherType, vlan, vlanTagPrio

ERS-8610:5# config filter act 10 apply


17 July 2010

avaya.com

Device Manager:

Via Security>Advanced L2-L7 Filter>ACL>ACT>Insert

2.2 ACL

The next step is to create an ACL. This can be accomplished by entering the following command:

CLI:

ERS-8610:5# config filter acl <acl-id 1-4096> ?

Sub-Context: ace port set vlan

Current Context:

create <type> act <value> [name <value>]

delete

disable

enable

info

name <value>

ERS-8610:5# config filter acl <acl-id 1-4096> create ?

create an access control list

Required parameters:

<type> = {inVlan|outVlan|inPort|outPort}

act <value> = access control template ID {1..4096}

Optional parameters:

name <value> = access control list descriptive name {string length 0..32}


18 July 2010

avaya.com

Command syntax:

create <type> act <value> [name <value>]

Device Manager:

Via Security>Advanced L2-L7 Filter>ACL>ACL>Insert

Where:

Field Description

AclId Specifies a unique identifier for the ACL entry in the range from 1-4096.

ActId Specifies a unique identifier for the ACT entry in the range from 1-4096.

Type Specifies whether the ACL is VLAN or port-based. Valid options here are:

inVlan

outVlan

inPort

outPort

Note: The inVlan and outVlan ACL types drop packets if the VLAN is added after ACE creation. For VLAN-based filters, you should ensure that the ACE configuration is set to all of the R module slots, irrespective of the VLAN's port membership on a slot.

Name Specifies a descriptive, user-defined name for the ACL entry.

VlanList Identifies an array used to indicate all the VLANs associated with the ACL entry. Currently, only 4000 VLANs are supported in the ERS 8000 Series v4.0 software.


19 July 2010

avaya.com

PortList Specifies the ports to be added to the ACL entry.

DefaultAction Specifies the action to be taken when none of the ACEs in the ACL match. Valid options are deny and permit, with permit as the default.

GlobalAction Indicates action is applied to all ACEs that match in an ACL. Valid options here are:

none

mirror

count

mirror-count

State Enables or disables all of the ACEs in the ACL. The default value is enable

AceListSize Specifies the number of ACEs in a particular ACL.

Example:

CLI:

Continuing from the example in Section 2.1, enter the following to add an ACL using the ACT from Section 2.1 assuming we wish to filter on ingress ports 8/29 and 8/30:

ERS-8610:5# config filter acl 10 create inPort act 10

ERS-8610:5# config filter acl 10 port add 8/29-8/30

Device Manager:

Via Security>Advanced L2-L7 Filter>ACL>ACL>Insert

Click here to select ACT 10

Click here to select ports

Click here when finished

Click here if you wish to mirror or count statistics


20 July 2010

avaya.com

2.3 ACE – Access Control Entry

The final step now is to add the appropriate ACE‘s to the ACL created in step 2.2. This can be accomplished by entering the following command:

ERS-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> create

ERS-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> ?

Sub-Context: advanced arp ethernet ip protocol

Current Context:

action <mode> [mlt-index <value>] [remark-dscp <value>] [remark-dot1p

<value>] [police <value>] [redirect-next-hop <value>] [unreachable <value>]

[egress-queue <value>] [stop-on-match <value>] [egress-queue-nnsc <value>]

create [name <value>]

debug [count <value>] [copytoprimarycp <value>] [copytosecondarycp <value>]

[mirror <value>]

delete

disable

enable

info

name <value

ERS-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> ethernet ?

Sub-Context:

Current Context:

dst-mac <ace-op> <dst-mac-list>

ether-type <ace-op> <ether-type>

info

port <ace-op> <ports>

src-mac <ace-op> <src-mac-list>

vlan-id <ace-op> <vid>[,...]>

vlan-tag-prio <ace-op> <vlan-tag-prio>

ERS-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> arp ?

Sub-Context:

Current Context:


21 July 2010

avaya.com

operation <ace-op> <arp-oper-type>

info

ERS-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> ip ?

Sub-Context:

Current Context:

dscp <ace-op> <dscp-list>

dst-ip <ace-op> <dst-ip-list>

info

ip-frag-flag <ace-op> <ip-frag-flag>

ip-options <ace-op>

ip-protocol-type <ace-op> <ip-protocol-type>

src-ip <ace-op> <src-ip-list>

ERS-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> protocol ?

Sub-Context:

Current Context:

icmp-msg-type <ace-op> <icmp-msg-type>

info

tcp-dst-port <ace-op> <tcp-portlist>

tcp-flags <ace-op> <tcp-flags>

tcp-src-port <ace-op> <tcp-portlist>

udp-dst-port <ace-op> <udp-portlist>

udp-src-port <ace-op> <udp-portlist>

ERS-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> advanced ?

Sub-Context:

Current Context:

info

custom-filter1 <pattern1-name> <ace-op> <value>




22 July 2010

avaya.com

NOTE: Up to three ACT patterns can be applied to an ACL. If more than three ACT patterns are required, you can combine a VLAN and a Port ACL to have up to six patterns.

ERS-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> action ?

update desired action parameters for access control entry


<mode> = deny or permit matching packets

{deny|permit}


mlt-index <value> = MLT index {0..8}

remark-dscp <value> = new phb and dscp for matching packets {0..256} or

{0x0..0x100} or {disable|phbcs0|phbcs1|phbaf11|phbaf12|

phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|

phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|

phbef|phbcs6|phbcs7}

remark-dot1p <value> = new dot1 priority for matching packets {0..8} or

{0x0..0x8} or

{disable|zero|one|two|three|four|five|six|seven}

police <value> = value-id of the template policer {0..16383}

redirect-next-hop <value> = next-hop ip address for redirect mode {a.b.c.d}

unreachable <value> = deny or permit when next-hop is unreachable

{deny|permit}

egress-queue <value> = offset from the base queue number {0..64}

The <value> can be just a single value, 2 values or

3 values.

The three values are for Egress Queue ID for 10/100

card,Egress Queue for 1G card and EgressQueue

for 10Gig card.

If only 1 value is specified, the same value is

applied to all 3 card types.

If 2 values are specified, the first value is applied

to 10/100 card, and the second value is applied to 1G

and 10G cards.

If all 3 values are specified, the 3 values are

applied to 10/100, 1G and 10G respectively.


23 July 2010

avaya.com

stop-on-match <flag> = true/false for stop on match

egress-queue-nnsc <value> = Ace egress queue nnsc

{critical|custom|premium|platinum|gold|

silver|bronze|standard|disable}

Command syntax:

action <mode> [mlt-index <value>]

[remark-dscp <value>] [remark-dot1p <value>]

[police <value>] [redirect-next-hop <value>]

[unreachable <value>] [egress-queue <value>]

[stop-on-match <flag>] [egress-queue-nnsc <value>]

Where:

Field Description

AclId Specifies a unique identifier for the ACL entry in the range from 1-4096.

ActId Specifies a unique identifier for the ACT entry in the range from 1-4096.

ACE Advanced

Ace-op Specifies the operators for the ACE pattern used when an ACT pattern is configured. The custom-filter<1-3>-name selects the ACT pattern name configured.

<pattern1-name> = hex numeric string for user-defined field {string length 0..32}

Ace-op : operator for field match condition {eq|le|ge}


ACE ARP, ACL

Operation Specifies the operator for ACE ARP operation. The eq value specifies an exact match.

Oper-type Specifies whether ACE ARP will be a request, arpRequest, or response, arpResponse.

ACE Ethernet, ACL

Dst-mac-list List of destination MAC addresses separated by a comma or a range of MAC


24 July 2010

avaya.com

Field Description

addresses specifies as low-high.

Ace-op : operator for field match condition {eq|ne|le|ge}

Ether-type One or more ethertype name/number or {ip|arp|ipx802dot3 |ipx802dot2|ipxSnap|ipxEthernet2|appleTalk| decLat|decOther| sna802dot2|snaEthernet2|netBios|xns|vines|ipV6|rarp|PPPoE}

Ace-op : operator for field match condition {eq|ne}

Port Specifies port list {slot/port[-slot/port][….]}

Ace-op : operator for field match condition {eq}

Src-mac List of destination MAC addresses separated by a comma or a range of MAC addresses specifies as low-high.


Vlan-id List of vlans ids {vlan-id[-vlan-id][,...]}


Vlan-tag-prio Specifies VLAN Tag {0..7} or undefined


ACE IP, ACL

Dscp Specifies phb name or dscp value {0..256} or {disable|phbcs0| phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22| phbaf23|phbcs3|phbaf31| phbaf32|phbaf33|phbcs4|phbaf41| phbaf42|phbaf43|phbcs5|phbcs6|phbef|phbcs7}

Ace-op : match dscp field {eq | ne}

Dst-ip Specifies destination ip address list {a.b.c.d[,w.x.y.z-p.q.r.s] [,l.m.n.o/mask][,a.b.c.d/len]}



25 July 2010

avaya.com

Field Description

Ip-frag-flag Specifies match option for ip fragments {noFragment| anyFragment| moreFragment|lastFragment}


Ip-options Specifies specify IP-options attribute of IP header

Ace-op : operator for field match condition {any}

Ip-protocol-type

Specifies IP protocol type {1..256} or {undefined|icmp|tcp| udp|ipsecesp|ipsecah| ospf|vrrp|snmp}


Src-ip Specifies source ip address list {a.b.c.d[,w.x.y.z-p.q.r.s] [,l.m.n.o/mask][,a.b.c.d/len]}


ACE Protocol, ACL

Icmp-msg-type

Specifies one or more icmpmsg type {0..255} or {echoreply| destunreach|sourcequench|redirect|echo-request|routeradv| routerselect|time-exceeded|param-problem|timestamp-request|timestamp-reply|addressmask-request|addressmask-reply|traceroute}


Tcp-dst-port Specifies destination port for tcp protocol {0..65535} or {echo| ftpdata|ftpcontrol|ssh|telnet|dns|http|bgp|hdot323|undefined}


Tcp-flags Specifies one or more tcp flags {none|fin|syn|rst|push|ack|urg| undefined}

Ace-op: operator for field match condition {match-any|match-all}

Tcp-src-port Specifies source port for tcp protocol {0..65535} or {}



26 July 2010

avaya.com

Field Description

Udp-dst-port Specifies destination port for udp protocol {0..65535} or {echo|dns| bootpServer|bootpClient|tftp|rip|rtp|rtcp|undefined}


Udp-src-port Specifies source port for udp protocol {0..65535} or {}



27 July 2010

avaya.com

3. R-Module Queuing

3.1 Overview

R-modules, by default, have two reserved and pre-configured egress queue templates based on Ayaya Data Solutions Service Class (ADSSC) – please see http://www.nortelnetworks.com/products/02/bstk/switches/bps/collateral/56058.25_022403.pdf. In the 4.0 release, one template has 8 queues while the other has up to 64 queues. In addition to this, a user can add individual egress queue templates to any port. Overall, the following explains the queue options pertaining to the type of I/O module used:

I/O modules with 1 egress port per LANE can utilize all 640 elementary queues. In the 4.0 software release, 64 out 640 queues per 10GE port are used. This would apply to the 8683XLR (3-port 10GE) and 8683XZR (3-port 10GE).

I/O modules with more than 1 port, but no more than 10 ports per lane can utilize up to 64 elementary queues per port. This would apply to the 8630GBR (30-port GE) I/O module.

I/O modules with more than 10 ports per lane support 8 elementary queues per port. This would apply to the 8648GTR (48-port 10/100/1000) I/O module.

Each queue within the egress queue is further broken down to one of three queue styles.

High Priority Group

o Queues in this group have the highest precedence over other queues in other groups and are serviced first

o Strict priority is used o Queues belonging to this group are numbered from queue index 63 and decrements o Any packet in queue 63 will be serviced first followed by queue 62 in this order o On trusted ports, incoming packets with 802.1p = 6 or DSCP CS5/EF are placed in queue 62

by default o A maximum rate can be configured on a high priority queue to avoid bandwidth monopoly

Balanced Queuing Group (Weighted Round Robin)

o Balanced queues are serviced second after traffic from the high priority queues are serviced o Queues belonging to the balanced group are serviced by a weighted round robin scheduler o Each balanced queue has a minimum rate and maximum rate where the minimum rate

provide a guarantee bandwidth while the maximum rate provide a maximum rate if no data is serviced on other queues

o The sum of all minimum rates configured on all queues cannot exceed 100% - line rate of the port

o Minimum rates are not applicable to High Priority Groups or Low Priority Groups

Low Priority Group

o Queues belonging to the low priority group are serviced last as-is or best effort o There is no minimum rate associated with a low priority group

Please see section 3.2 showing the egress queue mappings.

http://www.nortelnetworks.com/products/02/bstk/switches/bps/collateral/56058.25_022403.pdf


28 July 2010

avaya.com

Feedback Output Queueing (FOQ)

ERS 8600 Release 4.0 reports congestion for individual egress queues. Feedback output queueing (FOQ) notifies the ingress ports of congestion ahead so that the switch fabric doesn‘t waste resources forwarding packets or cells that will probably get dropped. FOQ avoids congestion and packet drops indiscriminate of QoS flows.

We recommend that you enable FOQ in a system with only R modules. You must enable R-mode to use FOQ. FOQ is not supported in a system with a mix of modules (R modules and pre-E, E- or M-modules). Please see section 5.3 regarding R-mode.

3.2 Default Packet QoS to Egress Queue Mapping

Depending on the value of the DSCP/802.1p value, one of eight queues will be chosen as shown in Table 3 below. Note that they are different for different R-modules port types. Each queue can be configured in one of three styles listed in descending order: high priority, balanced, and low priority. Queues in the balanced group are scheduled using an implementation of Weighted Fair Queuing (WFQ). Overall, by default, the R-modules support the following service levels:

1. Provide two high priority queues for critical network control and real time application data, i.e. the highest priority queue for critical traffic and the 2

nd highest priority for Premium traffic.

2. Provide five balanced queues: one for standard network traffic and four for ―metal‖ (Platinum, Gold, Silver and Bronze) traffic.

3. Provide one low priority queue for Standard (best effort) traffic. This queue is served after all high priority and weighted queues have been served.

By default, every Power Ranger physical port will be configured with these eight queues providing for ADSSC requirements.

Table 3: Ethernet Interface Type Default Internal QoS Mapping

Internal QOS Level

Fast Ethernet

Queue

Num/Style

1GE Queue

Num/Style

10GE Queue

Num/Style

ADSSC

0 5 / Low priority 55 / Low priority 55 / Low priority Custom

1 4 / Weighted 4 / Weighted 4 / Weighted Standard/Default

2 3 / Weighted 3 / Weighted 3 / Weighted Bronze

3 2 / Weighted 2 / Weighted 2 / Weighted Silver

4 1 / Weighted 1 / Weighted 1 / Weighted Gold

5 0 / Weighted 0 / Weighted 0 / Weighted Platinum

6 6 / High Priority 62 / High Priority 62 / High Priority Premium

7 7 / High Priority 63 / High Priority 63 / High Priority Critical/

Network


29 July 2010

avaya.com

3.3 Default Ingress p-bit to Internal QoS Level and Egress Queue Mapping

Table 4: Default p-bit Interface Internal QoS Level and Egress Queue Mapping

802.1p Internal QoS Egress Queue Q-name

(Egress Queue set 2) FE GE

0 1 4 4 Standard/

Default

1 0 5 55 Custom

2 2 3 3 Bronze

3 3 2 2 Silver

4 4 1 1 Gold

5 5 0 0 Platinum

6 6 6 62 Premium

7 7 7 63 Network/

Critical

3.4 Gigabit Ethernet Default Ingress DSCP to Egress Queue Mapping

Ingress DSCP InternalQoS Egress

Queue

PHB Q-name

(Egress Queue set 2) DSCP

Dec

DSC

Hex

ToS

00 00 00 1 4 CS0 Custom

00 00 00 1 4 DE

08 08 20 2 3 CS1 Bronze

10 A 28 2 3 AF11

16 10 40 3 2 CS2 Silver

18 12 48 3 2 AF21

24 18 60 4 1 CS3 Gold


30 July 2010

avaya.com

26 1A 68 4 1 AF31

32 20 80 5 0 CS4 Platinum

34 22 88 5 0 AF41

40 28 A0 6 62 CS5 Premium

46 2E B8 6 62 EF

48 30 C0 7 63 CS6 Network/

Critical 56 38 E0 7 63 CS7

3.5 Egress Traffic Shaping

Figure 2: Egress Traffic Shaping

For each balanced queue, you can set up a desired minimum rate guarantee and a maximum rate limit. For each priority queue, either high or low priority, minimum rate guarantee is not applicable. Only the maximum rate should be configured. The sum of all the balanced queue guarantees has to be less than the sum of the high priority queue rate limit (max rate).

3.5.1 High Priority Group – Maximum Rate

All packets in a high priority group are serviced from the highest queue downward. For a Gigabit Ethernet interface, this implies that queue 63 will be addressed prior to queue 62.

To ensure that each queue or the whole high priority group does not monopolize all the bandwidth, a maximum rate can be configured for each high priority queue. You can increase or decrease the maximum rate on any high priority queue with the exception of queue 63 (reserved queue) for networks traffic. The ERS 8600 uses queue 63 for all control traffic such as Spanning Tree BPDU‘s.

By default, queue 63 is configured with a maximum rate of 5% while queue 62 is configured for 45%. Note that the maximum rate is expressed in percentage of line rate for various ports using the same shaper template. You can modify the default maximum rate if required.

Note that the total sum of the maximum rate for the high priority queues and minimum rated of the balanced queues must be less-than or equal to 100% to ensure that the balanced queues get their promised minimum configured rate.

High Queue Max Rate <= [Available Bandwidth – Total Minimum Rates for Balanced Queues

Ingress Ports Egress Port

Rate limiter Packet Queues

Egress Shaping function

Scheduler

Ingress ACLs assign flows to egress queues


31 July 2010

avaya.com

3.5.2 Balanced Priority Group – Minimum and Maximum Rates

Queues belonging to the balanced group are serviced by a weighted round robin scheduler. Each queue in the balanced group is assigned a minimum rate and a maximum rate. The minimum rate is a guarantee to provide at least the percentage of bandwidth share configured for the queue. For example, on a Gigabit Ethernet link, if the queue is configured for 10% minimum rate, the queue will guarantee to get a 100MB from the total available bandwidth. The rate on a particular queue can go up the maximum rate configured providing there is no traffic to be serviced on the other queues.

3.5.3 Queue Size

Up to 32K memory pages are supported per LANE. Hence, up to 32K memory pages are supported per 10GE port or 10 x 1GE ports. Please see Table 4, Default QoS to Egress Queue Mapping, regarding the default queue size in pages per egress queue. The default setting can be changed by using the commands shown in section 3.5.2.

3.5.4 Statistics

Two hardware counters are maintained per every elementary egress queue. These two counters are total pages and dropped pages where each page represents 512 bytes per page. Hence, for example, a 64 byte packet will consume a 512 byte memory page.

It should be noted that statistics precision makes it difficult to compare actual queue output as the statistics does count bytes. If we consider packet sizes fewer than 512 bytes, each packet will be displayed as one page. However, for packets greater than 512 bytes, the actual number of pages will be greater than the number of frames. Taking in consideration the backplane overhead, 512 byte packets will actually take two pages where each cell holds 144 or 148 bytes of data depending on whether packer header extension is present.

The statistics can be viewed by using the commands below:

ERS-8610:5# show qos stats egress-queue-set ?

Sub-Context:

Current Context:

all [verbose]

egress-queue-set <id> [verbose]

port <ports> [verbose]

Example

ERS-8610:5# show qos stats egress-queue-set egress-queue-set 2

==================================================================

R-Module QOS Shapers Stats Table

==================================================================

Port Qid Total pages Dropped pages Utilization

(512 bytes per page) (512 bytes per page) %


32 July 2010

avaya.com

------------------------------------------------------------------

8/1 0 0 0 0

8/1 1 0 0 0

8/1 2 0 0 0

8/1 3 0 0 0

8/1 4 0 0 0

8/1 55 0 0 0

8/1 62 0 0 0

8/1 63 0 0 0

8/2 0 0 0 0

8/2 1 0 0 0

8/2 2 0 0 0

8/2 3 0 0 0

8/2 4 0 0 0

8/2 55 0 0 0

8/2 62 0 0 0

8/2 63 0 0 0

etc.

ERS-8610:5# show qos stats egress-queue-set port 8/23

=================================================================

R-Module QOS Shapers Stats Table

=================================================================

Port Qid Total pages Dropped pages Utilization

(512 bytes per page) (512 bytes per page) %

-----------------------------------------------------------------

8/23 0 0 0 0

8/23 1 0 0 0

8/23 2 0 0 0

8/23 3 0 0 0

8/23 4 0 0 0

8/23 55 0 0 0

8/23 62 0 0 0

8/23 63 54526 0 100


33 July 2010

avaya.com

3.6 Queue Set Configuration Commands

3.6.1 Adding a New Queue Set

As mentioned in Section 3.1, two queue templates are already added by default. Queue template 1, which supports 8 queues per port, is assigned to I/O modules with more than 10 ports per lane, i.e. PP8648GTR. Queue template 2, which supports up to 64 queues per port of which only 8 are used per port, is assigned to I/O modules with up to 10 ports per lane, i.e. PP8630GBR.

If required, a new egress queue set can be added by using the following command.

ERS-8610:5# config qos egress-queue-set ?

Sub-Context: port queue

Current Context:

apply

create qmax <value> [balanced-queues <value>] [hipri- queues <value>]

[lopri-queues <value>] [name <value>]

delete

info

name <value>

ERS-8610:5# config qos egress-queue-set 10 create

Not enough required parameters entered create qos egress queue set


qmax <value> = queue max of 8 or 64 {8|64}


balanced-queues <value> = balanced queues in the template {0..48}

hipri-queues <value> = high priority queues in the template {0..64}

lopri-queues <value> = low priority queues in the template {0..8}

name <value> = name for qos tx queue {string length 0..32}

Command syntax:

create qmax <value> [balanced-queues <value>] [hipri-queues <value>]

[lopri-queues <value>] [name <value>]

NOTE: When configuring a new queue set, if you configure the new queue set using the same number of queues with the same queue ID‘s of either of the two default queue sets, traffic will be forwarded to the appropriate queue according to the QoS level of the traffic flow. However, if you add additionnal queues or use different queue ID‘s than from either of two default queue sets, ACL‘s must be used to take advantage of the new queue set. The ACL must be configured with an ACE where upon a filter match; you must select the queue number.


34 July 2010

avaya.com

3.6.1.1 Adding a new Queue Set Configuration Example

For example, let‘s assume we wish to create a new queue template, queue-set 3, with the following number of queues and no shaping:

Hi priority queues: 1 o Max-rate = 5%

Low priority queues: 1 o Min-rate = 0%, Max-rate = 100%

Balance queue: 8 o Queue‘s 0, 1, and 2: Min-rate = 10%, Max-rate = 100% o Queue 3: Min-rate = 20%, Max-rate = 100% o Queue‘s 4 and 5: Min-rate = 15%, Max-rate = 100% o Queue‘s 6, 7 and 5: Min-rate = 15%, Max-rate = 100% o Queue 55: Max-rate = 100% o Queue 63: Max-rate = 5%

Enter the following command:

CLI:

ERS-8610:5# config qos egress-queue-set 3 create qmax 64 balanced-queues 8 hipri-queues 1 lopri-queues 1

ERS-8610:5# config qos egress-queue-set 3 apply

NOTE: For Gigabit Ethernet ports, the qmax setting is 64 while for 10/100 Fast Ethernet ports, the qmax setting is 8.

NOTE: You enter the apply command when changing or adding any egress queue parameter.

NOTE: All balanced queues start at queue 0 and move forwards. All low-priority queues start at 55 and move backwards - i.e. 55, 54, 53 etc. All high-priority queues start at queue 63 and moves backwards.

After the queue set has been configured, you will still have to configure the queue weight for each balanced queue defined by the minimum rate. If required, shaping can be applied to each queue by defining the maximum rate for each queue. The new queue-set 3 can be observed by using the following command.

ERS-8610:5# show qos config egress-queue-set egress-queue-set 3 queues

====================================================================

R-Module QOS Shapers Table

====================================================================

Qid Q-name Q-style min-rate max-rate max-q-length

--------------------------------------------------------------------

0 Queue-0 Bal 10 100 163

1 Queue-1 Bal 0 0 320

2 Queue-2 Bal 0 0 320

3 Queue-3 Bal 0 0 320

4 Queue-4 Bal 0 0 320

5 Queue-5 Bal 0 0 320

6 Queue-6 Bal 0 0 320

7 Queue-7 Bal 0 0 320


35 July 2010

avaya.com

55 Queue-55 low-pri 0 0 320

63 Queue-63 high-pri 0 5 163

NOTE: Notice the min-rate and max-rate are not set.

To change the queue minimum and maximum rates, use the following command:

ERS-8610:5# config qos egress-queue-set 3 queue <1..64> ?

Sub-Context:

Current Context:

set [min-rate <value>] [max-rate <value>] [max-length

<value>]

info

name <value>

ERS-8610:5# config qos egress-queue-set 3 queue 1 set ?

set queue values:


min-rate <value> = minimum rate in percentage {0..100}

max-rate <value> = maximum rate in percentage {0..100}

max-length <value> = maximum length in pages {0..8000}

{off|low|medium|high} <value>

Command syntax:

set [min-rate <value>] [max-rate <value>] [max-length <value>]

The following commands change the minimum rate and maximum rates as per above:

ERS-8610:5# config qos egress-queue-set 3 queue 1 set min-rate 8 max-rate 100

ERS-8610:5/config/qos/egress-queue-set/3# queue 2 set min-rate 10 max-rate 100






ERS-8610:5/config/qos/egress-queue-set/3# queue 55 set max-rate 100

ERS-8610:5/config/qos/egress-queue-set/3# apply

NOTE: The sum of the minimum rate for all balanced queues and the max-rate of the high priority queue cannot exceed 100.

NOTE: You must enter the ‗apply‘ command after changing a queue minimum or maximum rate.

NOTE: The maximum length is as measured in pages as per section 3.5.3.

Queue set 3 should now look like the following:


====================================================================


====================================================================


36 July 2010

avaya.com


--------------------------------------------------------------------

0 Queue-0 Bal 10 100 163

1 Queue-1 Bal 10 100 320

2 Queue-2 Bal 10 100 320

3 Queue-3 Bal 20 100 320

4 Queue-4 Bal 15 100 320

5 Queue-5 Bal 15 100 320

6 Queue-6 Bal 5 100 320

7 Queue-7 Bal 5 100 320

55 Queue-55 low-pri 0 100 320


Finally, to add port members to the queue set, enter the following command:

ERS-8610:5# config qos egress-queue-set 3 port add <ports>

Device Manager:

To add a new queue set, follow the instructions below.

Via QoS>Egress Queue Set>Insert

After this queue set has been configured, queue numbers 0 to 8 will automatically be assigned to the balanced queues, queue numbers 63 will be assigned to the high queues, and queue number 55 to the low queues.

To change the individual queue setting, follow the instructions below.

Via QoS>Egress Queue Set>Select Queue Set 3>Queue

Click here to add port members


37 July 2010

avaya.com

3.6.1.2 Queue Set Show Commands

To view the queue set, enter the following commands:

a) View all the queue sets

ERS-8610:5# show qos config egress-queue-set all

==========================================================================


==========================================================================

TemplateID Name Total Qs BalQs Hi-priQs lo-priQs Ports

--------------------------------------------------------------------------

1 NNSC8 8 5 2 1

2 NNSC64 8 5 2 1 8/1-8/28

3 set-3 10 8 1 1 8/29-8/30

b) View individual queue set

ERS-8610:5# show qos config egress-queue-set egress-queue-set 3

==========================================================================


==========================================================================


--------------------------------------------------------------------------

3 set-3 10 8 1 1 8/29-8/30

c) View queue set used on a port level

ERS-8610:5# show qos config egress-queue-set port 8/29

Enter MinRate and MaxRate for each queue

Click on Apply when finished


38 July 2010

avaya.com

==========================================================================


==========================================================================


--------------------------------------------------------------------------

3 set-3 10 8 1 1 8/29-8/30

d) View queue shaper table for queue set 3


==========================================================================


==========================================================================


--------------------------------------------------------------------------

0 Queue-0 Bal 10 100 163

1 Queue-1 Bal 10 100 320

2 Queue-2 Bal 10 100 320

3 Queue-3 Bal 20 100 320

4 Queue-4 Bal 15 100 320

5 Queue-5 Bal 15 100 320

6 Queue-6 Bal 5 100 320

7 Queue-7 Bal 5 100 320

55 Queue-55 low-pri 0 100 320



39 July 2010

avaya.com

4. Ingress Traffic Policing

Figure 3: Ingress Policing (L2-L7)

The ERS 8600 R-modules supports up to 450 policers (50 reserved internally) available per LANE (per 10 GE port or 10 x 1 GE ports; please see Appendix D for hardware details). Hence, on a ERS 8683XLR, 8683XZR, or 8630GBR up to 1200 (1350 total) policers are supported per I/O module.

The following options are supported:

CIR: Service rate

PIR: Peak information rate

3 internal colors to remark packets to o Red (discard right away) o Yellow (discard if congestion) o Green (forward)

Drop precedence in case of internal congestion

Ingress policing is supported on Port ACLs or VLAN ACLs. Port ACLs apply to individual port based policers which are members of individual LANEs. VLAN ACLs apply Global policers which are members of all LANEs.

20%

EF

AF3

BE

AF2 CIR

PIR

2 Mbs 10 Mbs

2 Mbs

2 Mbs

Discard Eligible

Forwarded dropped

CIR

CIR


40 July 2010

avaya.com

4.1 Policing Configuration

A policing policy can be setup using the following command:

ERS-8610:5# config qos policy ?

Sub-Context: lanes

Current Context:

create peak-rate <value> svc-rate <value> [lanes <value>] [name <value>]

delete

info

modify peak-rate <value> svc-rate <value>

name <value>

ERS-8610:5# config qos policy 1 create ?

create qos policy


peak-rate <value> = peak rate in Kbs {250..10000000}

svc-rate <value> = service rate in Kbs {250..10000000}


lanes <all | value> = lanes associated with the Policer

account <slot/lane[-slot/lane,slot/lane]

name <value> = name for qos policy {string length 1..32}

Command syntax:

create peak-rate <value> svc-rate <value> [lanes <value>]

[name <value>]

ERS-8610:5# config qos policy <1..16383>

The following is an example where we wish to have to allow a peak rate of 10,000 Kbs with a service rate of 2,000 Kps.

CLI:

ERS-8610:5# config qos policy 10 create peak-rate 10000 svc-rate 2000 name policy_1

ERS-8610:5# config qos policy 10 create peak-rate 10000 svc-rate 2000 lanes 7/3 name policy_1

NOTE: If adding a lane, you can select all lanes (all ports) or a fixed set of ports. For example, on the 8630, there are a total of three lanes where each lane represents ten ports (lane 1 for ports 1 to 10, lane 2 for ports 11 to 20, and lane 3 for ports 21 to 30).


41 July 2010

avaya.com

Device Manager:

Via QoS>Policy>Policy>Insert


42 July 2010

avaya.com

5. QoS Concepts

5.1 Changing the DiffServ Port Type

The ERS 8000 Series Switch implements a DiffServ architecture as defined in RFC 2474 and RFC 2475. The DSCP and the IEEE 802.1p marking found in VLANs are both used to mark the packet to its appropriate PHB and QoS level, providing layer 2 and layer 3 QoS functionality.

Figure 4: DiffServ Network Model

5.1.1 DiffServ Access Port

The DiffServ access port classifies traffic by marking it with the appropriate DSCP. The classified traffic is assigned to an internal QoS level based on the ACL‘s and traffic policies you enable. ACL‘s allow you to set criteria for identifying a microflow or an aggregate flow by matching on multiple fields in the IP packet.

5.1.2 DiffServ Core Port

The DiffServ core port does not change packet classification or marking done in the DiffServ access port. The core port preserves the DSCP or IEEE 802.1p bit marking of all incoming packets and uses these markings to assign the packet to an internal queue.

The following command is used to enable DiffServ on a port:

ERS-8610:5# config ethernet <slot/port> enable-diffserv <true|false>

To change the DiffServ port type, enter the following command:

ERS-8610:5# config ethernet <slot/port> access-diffserv <true|false>

5.2 L2 and L3 Trusted and Untrusted Ports

This section contains a series of traffic processing flowcharts, each of which shows ports configured as trusted and untrusted ports at both the L2 and L3 (DiffServ) levels. Figure 3 on page 36 shows the DiffServ access mode with the 802.1p override enabled.

Two separate configuration options are provided in order to configure R-Module ports as trusted or untrusted at layer2 or layer3 level.

Layer 2 - Trusted and Untrusted Port

A port can be configured as a trusted port (honoring 8021p bits) or as an untrusted port (overriding incoming 8021p bits) by using the command shown below.

ERS-8610:5# config ethernet <slot/port> 802.1p-override <enable|disable>


43 July 2010

avaya.com

o 8021p-override enable ===== > Override incoming 8021p bits

o 8021p-override disable ===== > Honour and Service incoming 8021p bits

8021p-override is disabled in factory default config.

Layer 3 – Trusted and Untrusted Port

A port can be configured as a trusted (Core Port) and untrusted port (Access Port) at layer3. In order to configure a port as Core or Access port, DiffServ must be enabled.

ERS-8610:5# config ethernet <slot/port> enable-diffserv <false|true>

ERS-8610:5# config ethernet <slot/port> access-diffserv <false|true>

o access-diffserv = true (Access port) === > Override incoming DSCP bits

o access-diffserv = false(Core port) === > Honour and Service incoming

DSCP bits

DiffServ is disabled in factory default config.

Table 5 through Table 8 on pages 36 and 37 summarize ingress and egress QoS actions for various types of traffic originating on trusted and untrusted ports.

Table 5: L2 and L3 Trusted Port Actions

Type of traffic Ingress action Egress marking

IP bridged untagged Choose QoS level based on MAC/Port/VLAN setting. Send to the appropriate egress queue.

Keep original DSCP value. If the outgoing packet needs to be tagged, set 802.1p based on egress mapping

IP bridged tagged Examine packet 802.1p value, assign QoS level based on ingress 802.1p to QoS mapping. Send to the appropriate egress queue.

Keep original DSCP value. Keep original 802.1p value if the packet was tagged. If it was not tagged, but needs to be tagged, set 8021p based on egress mapping.

IP routed Examine packet DSCP value, assign QoS level based on ingress DSCP to WoS mapping. Send to the appropriate egress queue.

Keep original DSCP value. Keep original 802.1p value if the packet was tagged. If it was not tagged, but needs to be tagged, set 8021p based on egress mapping.

Non-IP tagged Examine packet 802.1p value, assign QoS level based on ingress 802.1p to QoS mapping. Send to the appropriate egress queue.

Keep original 802.1p value.

Non-IP untagged Choose QoS level based on MAC/Port/VLAN setting. Send to the appropriate egress queue.

If the outgoing packet needs to be tagged, set 802.1p based on egress mapping.


44 July 2010

avaya.com

Table 6: L2 and L3 Untrusted Port Actions


IP bridged or routed Ignore packet DSCP and 802.1p values. Assign QoS level based on MAC/Port/ VLAN setting. Send to the appropriate egress queue.

Remark DSCP based on QoS to DSCP egress map.

Non-IP Ignore packet DSCP and 802.1p values. Assign QoS level based on MAC/Port/ VLAN setting. Send to the appropriate egress queue.

Remark 802.1p based on QoS to 802.1p egress map.

Table 7: L2 Trusted and L3 Untrusted Port Actions


Tagged Examine packet 802.1p value, assign QoS level based on ingress 802.1p to QoS mapping. Send to the appropriate egress queue.

Keep original 802.1p and DSCP values.

Untagged Assign QoS level based on MAC/Port/VLAN setting. Send to the appropriate egress queue.

Mark 802.1p based on QoS to 802.1p egress map. Keep original DSCP value.

Table 8: L2 Untrusted and L3 Trusted Port Actions


IP bridged or routed Examine packet DSCP value, assign QoS level based on ingress DSCP to QoS mapping. Send to the appropriate egress queue.

Keep original DSCP value. Mark 802.1p based on QoS to 802.1p egress map.

Non-IP Assign QoS level based on MAC/Port/VLAN setting. Send to the appropriate egress queue.

Mark 802.1p based on QoS to 802.1p egress map.


45 July 2010

avaya.com

Figure 5: Diffserv Access Mode – 802.1p Override

DSCP untrusted

p-bit untrusted

DiffServ enabled

DiffServ Access port

ACL configured with Remark

DSCP or remark p-bit configured

and filter match?

MAC QoS

level defined?

Internal QoS level

equals port QoS

Level

Yes

No

Vlan QoS level

greater than

Port QoS?

Internal QoS level

Equals VLAN QoS Level

True False

Internal QoS equals

source MAC

QoS level

No

Yes

Egress Port Tagged?

Yes

No

**Mark

DSCP

IP?

No

Done

***Remark

p-bit

Yes

** use internal QoS to DSCP egress map table

*** use internal QoS to p-bit egress map table

Please see Figure 10

"Access Control Lists"


46 July 2010

avaya.com

Figure 6: DiffServ Core Mode – 802.1p Override Enabled

p-bit untrusted

DSCP trusted

enable-diffserv = true

access-diffserv = false

802.1p-override enable

(DiffServ core port)



and filter match?

IP?

Yes

No

Mac QoS

level defined?

Internal QoS level

equals VLAN QoS

level

Yes No

No

Yes

Egress Port

Tagged?

No

**Mark

DSCP

Done

***Remark

p-bit

Yes

** use internal QoS to DSCP

egress map table


VLAN QoS level

greater than Port

QoS level?

Internal QoS level

equals port QoS

Level

True False

Use Ingressmap table to

assign QoS by honoring

incoming DSCP bits

(bridged and routed traffic

Internal QoS equals

source MAC

QoS level




47 July 2010

avaya.com

Figure 7: DiffServ Core Ports – 802.1p Override Disable

p-bit trusted

DSCP trusted


access-diffserv = false

802.1p-override disable

(DiffServ core port)



and filter match?

IP?

Yes

No

Internal QoS level

equals VLAN QoS

level

Yes

No

VLAN QoS level

greater than Port

QoS level?

Internal QoS level

equals port QoS

Level

True False

Routed IP? Ingress

Tagged?

No



incoming DSCP



incoming p-bits

No MAC QoS

level defined?

Yes

No

Egress Port

Tagged?

No

Done

***mark

p-bit

Yes

*** use internal QoS to p-

bit egress map table

Internal QoS equals

source MAC

QoS level



Yes Yes


48 July 2010

avaya.com

Figure 8: DiffServ Access Mode – 802.1p Override Disabled

p-bit trusted

DSCP untrusted


access-diffserv = true

802.1p-override disable

(DiffServ acess port



and filter match?

Ingress Packet

Tagged?

Yes

No

Internal QoS level

equals VLAN QoS

level

No

Yes

Egress Port

Tagged?

No

Done

***Remark

p-bit Yes


VLAN QoS level

greater than Port

QoS level?

Internal QoS level

equals port QoS

level

True False



incoming p-bits

(bridged and routed traffic

Mac Qos level

defined? Yes

No

Internal QoS equals

source MAC

QoS level




49 July 2010

avaya.com

Figure 9: DiffServ Disabled

DiffServ disable

p-bit

override

enable?

Packet

Tagged?

Use ingressmap to

assign internal

QoS by honoring

incoming 802.1p bits

for both routing and

bridging traffic

No

Yes



and filter match?

Yes

No

No

Yes

MAC QoS

level defined?

No

Internal QoS level

equals VLAN QoS

level

VLAN QoS level

greater than Port

QoS level?

Internal QoS level

equals port QoS

level

True False

If egress port is tagged, use egress QoS to p-bit mapping table to remark p-bit

Internal QoS equals

source MAC

QoS level



Yes


50 July 2010

avaya.com

Figure 10: Access Control Lists


DSCP or remark p-bit and filter

matched

Action

Police?

Yes

Rate above

Peak?

Yes

No

Yes

No

Rate above

Service Rate?

Admit Packet

No

Yes

Drop Packet

Go to Figure 11 "Access Control Lists con't"

Packet

Re-colored


51 July 2010

avaya.com

Figure 11: Access Control Lists Continued

Remark

DSCP?

No

yes

no

Remark

802.1p?

Internal QoS

equal or greater

of 802.1p or DSCP

Yes

Remark

802.1p?

yes

Remark DSCP

Remark 802.1p

Remark 802.1p

Internal QoS

based on

DSCP

Internal QoS

based on

802.1p

Remap

Egress

Queue?

Remark

Egress

Queue

Forward packet to Egress

Queue based on QoS to Egress

Queue Map

Normal QoS

No

Forward packet to Egress

Queue based on Egress Queue

Filter Action

Yes

Yes

No

No


52 July 2010

avaya.com

5.3 QoS for R-Mode Modules

Release 4.0 contains two different QoS implementations as shown in the table below. Note the following in relationship to the table below

Same-type module configurations o All R-modules with new 8692SF o All Classical modules with 8692SF for 8690/8691

Mix-chassis configuration o Classical modules and R-modules with new 8692SF

Mixed chassis configuration: Operation in Default/M-mode but features only available on R-modules o 3 color 2 bucket ingress Policing o Advanced Ingress/Egress ACLs o SMLT/IST on 10GIG

All R-module chassis configuration: Operating in R-mode o All features listed above plus o Advanced QoS with bandwidth reservation capabilities and Egress Shaping per port/queue o 256k routes supported

Table 9: QoS Features Supported

Chassis

Config

Operation

Modes

Module-types Features supported on respective modules

R M E pre-E QoS Filters Policing Shaping

Same-type chassis

(e=enable/d=disable)

Default - - - e classic classic classic -

- - e - classic classic classic -

M - e - - classic classic classic -

R e - - - advanced advanced advanced advanced

Mixed-type modules chassis

Default e e e e classic classic/ adv. On R-mod

classic/ adv. On R-mod

-

e e e e classic classic/ adv. On R-mod


-

M e e d d classic classic/ adv. On R-mod


-

R e d d d advanced advanced advanced advanced

NOTE: If R-mode is enabled, a mixture of modules (non-E, E, M, and R) is not supported. If M-mode is enabled and one or more modules installed in the chassis is an E module (32,000 table entries), the E modules will be disabled. This protects the system forwarding tables from lost entries.


53 July 2010

avaya.com

5.3.1 Configuring R-mode

To configure the switch for R-mode, use the following commands. Note that after the switch has been set for R-mode, the configuration should be saved and the switch must be rebooted.

ERS-8610:5# config sys set flags ?

Sub-Context:

Current Context:

r-mode <true|false>

m-mode <true|false>

enhanced-operational-mode <true|false>

vlan-optimization-mode <true|false>

info

ERS-8610:5# config sys set flags r-mode true

ERS-8610:5# save config

ERS-8610:5# boot -y

5.4 Changing the Default Port or VLAN QoS Levels

The default port or VLAN QoS levels can be changed to assign a default QoS level for all traffic providing the packet is not matched by an ACL to remark the packet. By default, the port and VLAN QoS level is set to 1 (one).

To change to port QoS level, enter the command below:

ERS-8610:5# config ethernet <slot/port> qos-level ?

set Internal Qos Level for a port


<0...7> = operation {0..7}

Command syntax:

qos-level <0...7>

To change the VLAN QoS level, enter the command below:

ERS-8610:5# config vlan <vlan #> qos-level ?

set Internal Qos Level for a vlan


<0...7> = operation {0..7}

Command syntax:

qos-level <0...7>


54 July 2010

avaya.com

5.5 Adding a MAC QoS Level

A QoS level can also be applied to a source MAC address again providing the packet is not matched by an ACL to remark the packet. The MAC QoS level can be modified to a learned MAC address to add to a static MAC enter.

To change the source MAC QoS level to a dynamic learned address, enter the command below:

ERS-8610:5# config vlan <vlan #> fdb-entry qos-level ?

set fdb Qos Level


<mac> = mac address {0x00:0x00:0x00:0x00:0x00:0x00}

status <value> = fdb status {other|invalid|learned|self|mgmt}

<0...7> = set qos level 0..7 {0..7}

Command syntax:

qos-level <mac> status <value> <0...7>

To change the source MAC QoS level to a static address, enter the command below:

ERS-8610:5# config vlan <vlan #> fdb-static ?

Sub-Context:

Current Context:

add <mac> port <value> qos <value>

info

remove <mac>

For example, to change the source MAC QoS level to 2 for the MAC address 00:00:00:00:01:0a on VLAN 2 via port 7/26, enter the command below:

ERS-8610:5# config vlan 2 fdb-static add 00:00:00:00:01:0a port 7/26 qos 2


55 July 2010

avaya.com

6. Configuration Examples

6.1 Configuration Example 1: Marking and Dropping Traffic

Figure 12: Example 1 Diagram

In this configuration example, we wish to accomplish the following:

Drop tftp traffic

Allow http server traffic from Server 1 and Server 2 only and mark with Silver (CS2) service

Mark all other traffic with Bronze (CS1) service

Enable Statistics for each filter rule except for all other traffic marked with Bronze

Please follow the steps below to filter on the above criteria.

6.1.1 Via CLI

A. Create a new ACT to filter on UDP src-port and TCP dst-port, and UDP dst-port traffic and src-IP.

1. Create a new ACT with ID = 1


2. Select IP attributes of source IP and IP protocol type

ERS-8610:5# config filter act 1 ip srcIp, ipProtoType

3. Select Protocol Attributes of TCP source port, TCP destination port, and UDP destination port

ERS-8610:5# config filter act 1 protocol tcpSrcPort,tcpDstPort, udpDstPort

4. Enable ACT 1


B. Create ACL 1:

1. Create ACL 1 with type of ingress VLAN:

ERS-8610:5# config filter acl 1 create inVlan act 1

2. Add ingress VLAN of 200 to ACL 1:

ERS-8610:5# config filter acl 1 vlan add 200


56 July 2010

avaya.com

C. Add ACE‘s to ACL 1:

1. Add ACE 1 with action of deny tftp traffic and statistics enabled:

ERS-8610:5# config filter acl 1 ace 1 create

ERS-8610:5# config filter acl 1 ace 1 action deny stop-on-match true

ERS-8610:5# config filter acl 1 ace 1 debug count enable

ERS-8610:5# config filter acl 1 ace 1 ip ip-protocol-type eq udp

ERS-8610:5# config filter acl 1 ace 1 protocol udp-dst-port eq tftp

ERS-8610:5# config filter acl 1 ace 1 enable

2. Set ACE 2 with action of permit to remark DSCP to Silver (CS2) for WEB servers 10.1.1.2 and 10.1.1.3 for http traffic (TCP src-port 80) and enable statistics:


ERS-8610:5# config filter acl 1 ace 2 action permit remark-dscp phbcs2 stop-on-match true


ERS-8610:5# config filter acl 1 ace 2 ip src-ip eq 10.1.1.2-10.1.1.3

ERS-8610:5# config filter acl 1 ace 2 ip ip-protocol-type eq tcp

ERS-8610:5# config filter acl 1 ace 2 protocol tcp-src-port eq 80


3. Set ACE 3 to deny WEB traffic from all other hosts, TCP source port 80:







4. Set ACE 4 to remark all other traffic to Bronze (CS1):


ERS-8610:5# config filter acl 1 ace 4 action permit remark-dscp phbcs1 stop-on-match true


ERS-8610:5# config filter acl 1 ace 4 ip src-ip ge 0.0.0.0


ERS-8610:5# config filter acl 1 ace default debug match-count kbytes-pkts G. View Filter Statistics

To view the ACE Statistics, enter the following command:

ERS-8610:5# show filter acl statistics port

===========================================================================

Filter Port Statistics Table

===========================================================================

Acl Acl Acl Ace Port Packets Bytes

Id Name Type Id Num

---------------------------------------------------------------------------


57 July 2010

avaya.com

1 ACL-1 inVlan 1 4/19 0 0

4/22 0 0

4/24 0 0

4/25 0 0

4/26 0 0

4/27 0 0

4/28 0 0

2 4/19 0 0

4/22 0 0

4/24 0 0

4/25 0 0

4/26 0 0

4/27 0 0

4/28 0 0

3 4/19 0 0

4/22 0 0

4/24 0 0

4/25 6640253 424976192

4/26 0 0

4/27 0 0

4/28 0 0

4 4/19 50324 3220736

4/22 0 0

4/24 0 0

4/25 219688530 14060065920

4/26 0 0

4/27 225213301 14413651264

4/28 0 0

Displayed 28 of 28 entries


58 July 2010

avaya.com

6.1.2 Via JDM

A. Create ACT 1

Create a new ACT to filter on UDP src-port and TCP dst-port, and UDP dst-port traffic and src-IP.

1. Go to Security, click on Advanced L2-L7 Filter, and select ACL. When prompted with the ‗NOTE: Filter configuration of R-modules only‘ dialog box, click on OK.

2. Via the ACT tab, click on Insert. You can add an ACT number and name if you wish for just leave the default settings. The default name in this case should be ACT-1 – this name will be used in step B when configuring the ACL. Next, check of the following items:

IpAttrs: srcIp and ipProtoType

ProtocolAttrs: tcpSrcPort, tcpDstPort, and udpDstPort

Click on Insert when completed

3. Finally, via the main ACT window, under the Apply icon, select true. This step must be complete prior to configuring the ACL.

B. Create ACL 1:

Via the ACL main window, click on the ACL tab and click on Insert. Unless you wish to change the ACL id, leave the default setting which should default to 1 if this is the first ACL configured. Next, configure the following

ActId: Select (1) ACT-1

Type: inVlan

Name: ACL-1 (if using the default name)


59 July 2010

avaya.com

VlanList: select (200) VLAN-200

DefaultAction: permit

GlobalAction: none

State: enable



1. Add ACE 1 with action deny tftp traffic and statistics enabled.

Start by clicking on AclId 1and then clicking on ACE via the ACL tab in the ACL window. Next, click on Insert. The default AceId should be 1. If you do not enter a name, a default name of ACE-1 will be used. Hence, do not enter anything in the AceId and Name windows. Next, enter the following:

Mode: deny

Flags: Count

StopOnMatch: enable

Click on Insert to complete ACE 1 configuration

Select UDP protocol type

Via the ACE Common tab, click on IP and click on Protocol tab. Click on Insert and enter the following

Oper: eq

List: udp



60 July 2010

avaya.com

Select UDP port of tftp

Via the ACE Common tab, click on Proto and select the UDP Destination Port Tab. Click on Insert and enter the following

Oper: eq

Port: tftp


2. Add ACE 2 with action of permit http traffic from Server 1 and 2 and remark to DSCP CS2:

Start by clicking on Insert via the ACE Common tab. The default AceId should be 2. If you do not enter a name, a default name of ACE-2 will be used. Hence, do not enter anything in the AceId and Name windows. Next, enter the following:

Mode: permit

RemarkDscp: phbcs2

StopOnMatch: enable

Flags: Count


Select Source IP address of Server 1 and 2 and TCP protocol type

Via the ACE Common tab with ACE-2 selected, click on IP and select the Source Address Tab. Click on Insert and enter the following:

Oper: eq

List: 10.1.1.2-10.1.1.3


Next, click the Protocol tab, click on Insert and enter the following:

Oper: eq

List: tcp


Select TCP port of http

Via the ACE Common tab, click on IP, select the Protocol Tab, and then the TCP Source Port tab. Click on Insert and enter the following

Oper: eq

Port: 80


3. Set ACE 3 to deny http source traffic from all hosts


Mode: deny


61 July 2010

avaya.com

Flags: Count

StopOnMatch: enable


Select UDP protocol type

Via the ACE Common tab, click on IP and click on Protocol tab. Click on Insert and enter the following

Oper: eq

List: tcp


Select TCP source port of http

Via the ACE Common tab, click on Proto and select the TCP Source Port Tab. Click on Insert and enter the following

Oper: eq

Port: 80


4. Set ACE 4 to permit all other traffic and remark to DSCP CS1.


Mode: permit

RemarkDscp: phbcs1

StopOnMatch: enable


Select Source IP address of greater than 0.0.0.0

Via the ACE Common tab, click on IP and click on the Source Address tab. Click on Insert and enter the following

Oper: ge

List: 0.0.0.0


D. Enable all ACE‘s

Via the ACE Common tab, make sure all ACE‘s are enabled via the AdminState tab.


62 July 2010

avaya.com

6.1.3 Changing the Default Egress Queue

In the configuration above, we simply configured an ACL with two ACEs to remark the DSCP value upon a filter match. An ACE can also be configured to either select a ADSSC color or Egress Queue number to override the default ingress/egress queue mapping.

The following command is used to change the default ADSSC color:

ERS-8610:5# config filter acl <value> ace <value> action permit remark-dscp <value> egress-queue-nnsc <critical|custom|premium| platinum |gold|silver|bronze|standard|disable>

ERS-8610:5# config filter acl <value> ace <value> action permit remark-dot1p <value> egress-queue-nnsc <critical|custom|premium| platinum|gold|silver|bronze|standard|disable>

The following command is used to change the default ADSSC queue number:

ERS-8610:5# config filter acl <value> ace <value> action permit remark-dscp <value> egress-queue <0..64>

or

ERS-8610:5# config filter acl <value> ace <value> action permit remark-dscp <value> egress-queue <0..64>,<0..64>

or

ERS-8610:5# config filter acl <value> ace <value> action permit remark-dscp <value> egress-queue <0..64>,<0..64>,<0..64>

ERS-8610:5# config filter acl <value> ace <value> action permit remark-dot1p <value> egress-queue <0..64>

or

ERS-8610:5# config filter acl <value> ace <value> action permit remark- dot1p <value> egress-queue <0..64>,<0..64>

or

ERS-8610:5# config filter acl <value> ace <value> action permit remark- dot1p <value> egress-queue <0..64>,<0..64>,<0..64>

NOTE: The egress queue number can be a single value, 2 values or 3 values. The three values are for Egress Queue ID for 10/100 I/O module, Queue ID for 1GigE I/O module, and Queue ID for 10GigE I/O module. If only one value is specified, the same value is applied to all three I/O module types. If two values are specified, the first value is applied to 10/100 I/O modules, and the second value is applied to 1 GigE and 10 GigE I/O modules. If three values are specified, the three values are applied to 10/100, 1 GigE, and 10 GigE I/O modules respectively.

NOTE: If you are not using one of the default queue sets, i.e. queue set 1 or 2, you must use ACL‘s to remark and select the appropriate queue if the new queue set does not use the same queue ID‘s or uses additional queues than either of the two default queue sets. However, if the new queue set uses the same queue ID with the same number of queues as that of either of the two default queue set, then ACL‘s are not required to map traffic to the appropriate queue.


63 July 2010

avaya.com

View Commands:

To view the default QoS Ingress mapping, use the following command:

ERS-8610:5# show qos ingressmap ?

Sub-Context:

Current Context:

1p [<ieee1p>]

ds [<dscp>]

To view the default QoS Egress mapping, use the following command:

ERS-8610:5# show qos egressmap ?

Sub-Context:

Current Context:

1p [<level>]

ds [<level>]

To view the default internal QoS to Egress Queue mapping, use the following command:

ERS-8610:5# show qos config eqmap <slot number>

To view the QoS level and shaper table, enter the following command:

ERS-8610:5# show qos config egress-queue-set egress-queue-set <1..386> queues

Where queue 1 is the default queue set for the 10/100/1000 I/O module and queue 2 is the default queue set for the GigE and 10 GigE I/O modules. For example, to view the GigE default queue set, enter the following command:



64 July 2010

avaya.com

6.2 Configuration Example 2: Filter Ranges and Policing

Figure 13: Filter Ranges and Policing

In this configuration example, we wish to perform the following in regard to all users on VLAN 2

Platinum service for UDP destination ports 1124 to 1784

Police all traffic using TCP destination ports 20-21 at CIR = 1Mbps, Peak Rate = 2Mbps and mark to Bronze Service

6.2.1 Via CLI

A. Create Police Profile

1. Create police policy.

ERS-8610:5# config qos policy 1 create peak-rate 2000 svc-rate 1000 lanes 7/3

NOTE: The Lane Members in this example is 7:3 as the ERS 8630 module for this configuration example is located in slot 7 using port members 7/29 and 7/30. Please see Section 4 for more details.

B. Create a new ACT to filter on UDP dst-port and TCP dst-port:



2. Select Protocol attributes of source IP and IP protocol type

ERS-8610:5# config filter act 1 protocol tcpDstPort,udpDstPort

3. Enable ACT 1


C. Create ACL 1:




65 July 2010

avaya.com



D. Create ACE‘s to ACL 1:

1. Add ACE 1 with action of permit to remark DSCP to AF41 for UDP port range 1124-1784 and statistics enabled:

ERS-8610:5# config filter acl 1 ace 1 create name UDP-Range

ERS-8610:5# config filter acl 1 ace 1 action permit remark-dscp phbaf41


ERS-8610:5# config filter acl 1 ace 1 protocol udp-dst-port eq 1124-1784


2. Set ACE 2 with action of permit to remark DSCP to Bronze for TCP ports 20-21 and enable statistics:

ERS-8610:5# config filter acl 1 ace 2 create name Police_1

ERS-8610:5# config filter acl 1 ace 2 action permit remark-dscp phbaf11 police 1


ERS-8610:5# config filter acl 1 ace 2 protocol tcp-dst-port eq 20-21


6.2.2 Via JDM

A. Create Police Policy

Create a new police policy with a sustained rate of 1M and a peak rate of 2M:

1. Go to QoS, select Policy and then click on Insert. Unless you wish to change the GrId and Policy Name, leave the default setting of 1 and POLICY-1 respectively.

2. Next enter the following:

PeakRate: 2000

SvcRate: 1000

LaneMembers: 7:3 (Port 7/21-30)


NOTE: The Lane Members in this example is 7:3 as the ERS 8630 module for this configuration example is located in slot 7 using port members 7/29 and 7/30. Please see Section 4 for more details.

B. Create ACT 1

Create a new ACT to filter on UDP src-port and TCP src-port.

1. Go to Security, click on Advanced L2-L7 Filter, and select ACL. When prompted with the ‗NOTE: Filter configuration of R-modules only‘ dialog box, click on OK.


ProtocolAttrs: tcpSrcPort and udpSrcPort



66 July 2010

avaya.com


C. Create ACL 1:

Via the ACL main window, click on the ACL tab and click on Insert. Unless you wish to change the ACL id, leave the default setting which should default to 1 if this is the first ACL configured. Next, configure the following:

ActId: Select (1) ACT-1

Type: inVlan

Name: ACL-1 (if using the default name)

VlanList: select (2) VLAN-2

DefaultAction: permit

GlobalAction: none

State: enable


D. Add ACE‘s to ACL 1:

1. Add ACE 1 with action of permit, remark DSCP to AF41 and statistics enabled for UDP port range 1124 to 1754.


Mode: permit

RemarkDscp: phbaf41

Flags: Count


Select UDP protocol type and range

Via the ACE Common tab, highlight AceId 1, click on Proto and click on UDPDestination Port tab. Click on Insert and enter the following:

Oper: eq

Port: 1124-1754


2. Add ACE 2 with action of permit, remark DSCP to AF11 and statistics enabled for TCP port range 20 to 20.


Mode: permit

RemarkDscp: phbaf11

Police: 1

Flags: Count



67 July 2010

avaya.com

Select TCP protocol type and range

Via the ACE Common tab with ACE-2 selected, click on Proto and select the TCP Destination Port Tab. Click on Insert and enter the following:

Oper: eq

Port: 20-21


3. Enable all ACE‘s


6.3 Configuration Example 3: Setting Egress Queue Weight and Shaping Rate

As explained in Section 3 above, for a Gigabit Ethernet port on a 8630, by default, it will use egress queue set 2. The following command displays the default settings for queue set.


===========================================================================


===========================================================================


---------------------------------------------------------------------------

0 Platinum Bal 10 100 163

1 Gold Bal 10 100 163

2 Silver Bal 5 100 327

3 Bronze Bal 15 100 327

4 Standard(Default) Bal 5 100 980

55 Custom low-pri 0 100 980

62 Premium high-pri 0 50 163

63 Critical/Network high-pri 0 5 163

The min-rate shown also represents the queue weight associated for each CoS upon congestion.

For this example, we wish to change the default settings for all Gigabit Ethernet ports for Platinum, Gold, Silver, Bronze CoS. Overall; we wish to accomplish the following:

Assign Queue weight for Platinum to 40%

Assign Queue weight for Gold to 25%


68 July 2010

avaya.com

Assign Queue weight for Silver to 15%

Assign Queue weight for Bronze to 5%

NOTE: In order to accomplish this, we will also have to re-assign the Premium maximum queue weight to 10 and change the minimum weight for Standard to 0. The minimum weight of all balanced queue plus the maximum weight of the Premium and Critical/Network queues must not exceed 100.

In order to accomplish this task, enter the following commands:

1. First, re-assign Qid 62 max-rate to 10.

ERS-8610:5# config qos egress-queue-set 2 queue 62 set max-rate 10

2. Next, re-assign the balanced queues starting with the lowest min-rate first in order to not exceed the 100 limit.

ERS-8610:5# config qos egress-queue-set 2 queue 4 set min-rate 0





3. Apply the changes to queue 2.


After we have configured queue set 2, it should look like the following:


===========================================================================


===========================================================================


---------------------------------------------------------------------------


1 Gold Bal 25 100 163

2 Silver Bal 15 100 327

3 Bronze Bal 5 100 327





Using the above configuration will also allow each balanced queue to forward traffic up to the maximum rate if there is no congestion. Let‘s assume that we also wish to shape the traffic to the same value as the minimum queue weight.


69 July 2010

avaya.com

This can be accomplished by entering the following commands:






ERS-8610:5# show qos config egress-queue-set egress-queue-set 2 queue

===========================================================================


===========================================================================


--------------------------------------------------------------------------


1 Gold Bal 25 25 163







6.3.1 Using Show Commands to Trace Ingress CoS to Egress Queue Mapping

After completing the configuration example in Section 5.3, we can trace the increase CoS to egress QoS mapping by using the following show commands. Of interest, is the mapping for CoS levels Platinum, Gold, Silver, and Bronze.

1. To view the Ingress DSCP and 802.1p Mapping. In this case, we will only show the mappings for Platinum (AF41, 0x22 or 34), Gold (AF31, 0x1A or 26), Silver (AF21, 0x12 or 18), and Bronze (AF11, 0xA or 10).

ERS-8610:5# show qos ingressmap ds

========================================================================

Qos Ingress DSCP to QOS-Level Map

========================================================================

DSCP DSCP-bin QOSLEVEL

------------------------------------------------------------------------

10 001010 2

18 010010 3


70 July 2010

avaya.com

26 011010 4

34 100010 5

ERS-8610:5# show qos ingressmap 1p

========================================================================

Qos Ingress IEEE 1P to QOS-Level Map

========================================================================

IEEE1P QOSLEVEL

------------------------------------------------------------------------

0 1

1 0

2 2

3 3

4 4

5 5

6 6

7 7

2. Next, to view the QoS Level to Egress Queue Mapping, enter the following command assuming we have a ERS 8630 Gigabit Ethernet Module in Slot 7.

ERS-8610:5# show qos config eqmap 7

========================================================================

Internal-QOS to Egress Queue Map

========================================================================

Internal QOS Egress Queue

------------------------------------------------------------------------

0 55

1 4

2 3

3 2

4 1

5 0

6 62

7 63

3. Finally, to view the Egress Queue Mapping to CoS level, enter the following command:


71 July 2010

avaya.com

ERS-8610:5# show qos config egress-queue-set egress-queue-set 2 queue

====================================================================


====================================================================


--------------------------------------------------------------------


1 Gold Bal 25 25 163







6.3.2 Changing the Ingress Mapping

If you wish, you can change the QoS ingress mapping by using the following command:

ERS-8610:5# config qos ingressmap ?

Sub-Context:

Current Context:

1p <ieee1p> <level>

ds <dscp> <level>

info

Map DS Byte to QOS Level


<dscp> = Diff-Serv Code Point as Index {0..63}

<level> = QOS Level {0..7}

Command syntax:

ds <dscp> <level>

Map IEEE 1p Priority to QOS Level


<ieee1p> = IEEE 1P as Index {0..7}

<level> = QOS Level {0..7}

Command syntax:


72 July 2010

avaya.com

1p <ieee1p> <level>

6.4 Configuration Example – Changing Egress Port Shaper

In addition to supporting egress queue shaping, the R-modules also support egress port shaping. While egress queue shaping provides shaping per queue, port shaping provides shapes all outgoing traffic to a specific rate.

Port shaping is configured at a port level using the following command:

ERS-8610:5# config ethernet 7/29 shape ?

set shape or egress-rate-limit on ports, only apply to R-module port


<kbps> = rate limit in kbps {1000..10000000}


<enable|disable> = operation {disable|enable}

Command syntax:

shape <kbps> [<enable|disable>]

For example, assuming we wish to shape port 7/29 to 10 Mbps, enter the following command:

ERS-8610:5# config ethernet 7/29 shape 10000 enable

6.5 Configuration Example – Deny ARP/MAC Spoofing Attack in a Layer 2 Environment

MAC spoofing simply involves spoofing a known MAC address of another host to make the target switch forward frames destined for the remote host to be forwarded to the attackers host. By sending frames with the other host‘s MAC address, the attacker is telling the Layer 2 switch to forward traffic now to the attacker‘s port. To correct this, the host must send out frames to tell the switch to relearn the most of the host MAC address. This type of attack is confined to the switch itself within the MAC/CAM address table

The attacker can perform ARP spoofing so that it can use an IP address of an attacked host and inform the remote systems to send traffic now to the attacker‘s MAC address. Gratuitous ARPs (gARP) can be used maliciously by an attacker to spoof the IP address of a host on a LAN segment. It can be used to spoof the identity between two hosts or all traffic from a default gateway in a Man-in-the-middle attack.

Figure 14: Deny ARP/MAC Spoofing Attack


73 July 2010

avaya.com

In this configuration example:

PP8600A is configured with VLAN 2 with port members 7/26 to 7/30

We will add an ACL to access ports 7/26 to 7/29 to prevent ARP/MAC man-in-the-middle attack

Basically, an ACL has to be setup to perform the following on all access ports:

a. Allow ARP requests as long as the dst MAC is a broadcast address

b. Deny gARP with an ARP response using the default gateway address as either the src IP or dst IP in a ARP response packet. This prevents an Attacker from spoofing the victims IP address to the default gateway and default gateways address to a victim

c. Allow ARP response as the last ACL action

To add an ACL to prevent an ARP/MAC man-in-the-middle attack, perform the following steps. For this example, by default, a pre-defined ACT has already been setup for ARP/MAC spoofing using ACT 4083. This can be verified by using the ‗show filter act‘ or ‗show filter act 4083‘ commands. To view the ACT pattern, use the command ‗show filter act-pattern 4083‘.

Note that the ACT pattern p1 and p2 uses a base pattern of ether-begin. Ether-begin refer to the beginning of an Ethernet packet. Next, notice that p1 is configured with an offset of 224 bits and an offset length of 32 bits. This offset allows us to filter on the src IP in an ARP packet. Finally, notice that p2 is configured with an offset of 224 bits and an offset length of 32 bits. This offset pattern allows us to filter on the dst IP in and ARP packet.

6.5.1 Via CLI

A. Create ACL 1

1. Create ACL 1 with type of inPort using ACT id 4083

ERS-8610:5# config filter acl 1 create inPort act 4083

2. Add Access ports to ACL 1

ERS-8610:5# config filter acl 1 port add 7/26-7/29

B. Add ACE‘s to ACL 1

1. Add ACE 1 with action of permit to allow ARP request‘s with a broadcast address as the dst MAC

ERS-8610:5# config filter acl 1 ace 1 action permit

ERS-8610:5# config filter acl 1 ace 1 ethernet dst-mac eq ff:ff:ff:ff:ff:ff

ERS-8610:5# config filter acl 1 ace 1 arp operation eq arprequest


2. Add ACE 2 with action of deny to drop any ARP requests and enable statistics

ERS-8610:5# config filter acl 1 ace 2 action deny


ERS-8610:5# config filter acl 1 ace 2 arp operation eq arprequest


3. Add ACE 3 with action of deny to drop any ARP response with a source address of the default gateway. Note the name p1; this is the ACT pattern name as explained above and used for pattern 1. Also note that the IP address is entered in Hex.



ERS-8610:5# config filter acl 1 ace 3 advanced custom-filter1 p1 eq 0a011901


74 July 2010

avaya.com


4. Add ACE 4 with action of deny to drop any ARP response with a destination address of the default gateway. Note the name p2; this is the ACT pattern name as explained above and used for pattern 2. Also note that the IP address is entered in Hex.



ERS-8610:5# config filter acl 1 ace 4 advanced custom-filter2 p2 eq 0a011901


5. Add ACE 5 with action of permit to allow all other ARP responses.


ERS-8610:5# config filter acl 1 ace 5 arp operation eq arpresponse


6.5.2 Via JDM

A. Create ACL 1

Create a new ACL with type of inPort using ACT ID 1

1. Go to Security, select Advanced L2-L7 Filter and then click on ACL. Click on the OK button when prompted with the ‗NOTE: Filter configuration of R-modules only‘ icon. Unless you wish to change the GrId and Policy Name, leave the default setting of 1 and POLICY-1 respectively.

2. Via the ACL tab, click on Insert. Unless you wish to change the ACL id, leave the default setting which should default to 1 if this is the first ACL configured. Next enter the following:

ActId: 4083

Type: inPort

PortList: 7/26-7/29

Click on Insert when finished.

B. Add ACE‘s to ACL 1

1. Add ACE 1 with action of action of permit to allow ARP request‘s with a broadcast address as the dst MAC.


Mode: permit


Setup Ethernet dst address

Via the ACE Common tab, highlight AceId 1, click on Eth and click on Destination Address tab. Click on Insert and enter the following:

Oper: eq

List: ff:ff:ff:ff:ff:ff


Setup ARP Request


75 July 2010

avaya.com

Via the ACE Common tab, highlight AceId 1, click on Arp and click on Insert tab. Click on Insert and enter the following:

Type: operation

Oper: eq

Value: arpRequest


2. Add ACE 2 with action of deny to drop all other ARP request‘s and enable statistics


Mode: deny

Flags: Count


Select ARP Request

Via the ACE Common tab with ACE-2 selected, click on Arp. Click on Insert and enter the following:

Type: operation

Oper: eq

Value: arpRequest




Mode: deny

Flags: Count


Select ACT data pattern p1

Via the ACE Common tab with ACE-3 selected, click on Adv. Click on Pattern 1 and then Insert and enter the following:

Name: p1

Oper: eq

Value: 0a011901




76 July 2010

avaya.com


Mode: deny

Flags: Count


Select ACT data pattern p2

Via the ACE Common tab with ACE-4 selected, click on Adv. Click on Pattern 2 and then Insert and enter the following:

Name: p2

Oper: eq

Value: 0a011901


5. Add ACE 5 with action of permit to allow all other ARP responses.


Mode: permit


Select ARP Response

Via the ACE Common tab with ACE-5 selected, click on Arp. Click on Insert and enter the following:

Type: operation

Oper: eq

Value: arpResponse


C. Enable all ACE‘s


6.6 Configuration Example – DoS Attacks

In this configuration example, we will use both offset and normal filters to deny various DoS attacks. Although there are many DoS attacks, but for this example, we will concentrate on the following:

SQLslam o The worm targeting SQL Server computers is self-propagating malicious code that exploits

the vulnerability described in VU#484891 (CAN-2002-0649). This vulnerability allows for the execution of arbitrary code on the SQL Server computer due to a stack buffer overflow. Once the worm compromises a machine, it will try to propagate itself. The worm will craft packets of 376-bytes and send them to randomly chosen IP addresses on port 1434/udp. If the packet is sent to a vulnerable machine, this victim machine will become infected and will also begin to

http://www.kb.cert.org/vuls/id/484891

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0649


77 July 2010

avaya.com

propagate. Beyond the scanning activity for new hosts, the current variant of this worm has no other payload. Activity of this worm is readily identifiable on a network by the presence of 376-byte UDP packets. These packets will appear to be originating from seemingly random IP addresses and destined for port 1434/udp.

Nachia o The W32/Nachi variants W32/Nachi-A and W32/Nachi-B are worms that spread using the

RPC DCOM vulnerability in a similar fashion to the W32/Blaster-A worm. Both rely upon two vulnerabilities in Microsoft's software.

Xmas o This is a DoS attack that sends TCP packets with TCP Flags URG, PSH, and FIN set in the

same packet which is illegal.

TCP SynFinScan o This is a DoS attack that sends both a TCP SYN and FIN in the same packet which is illegal.

TCP FtpPort o These are TCP packets with a source port of 20 (FTP) and a destination port less than 1024

which is illegal. A legal FTP request would have been initiated with a TCP port greater than 1024.

TCP DnsPort o Similar to TCP FtpPort above but for DNS port 53. Note that this is for TCP DNS.

To configure the above, please follow the steps below. For this example, we will assume the following:

Use ACT 1 with two off-set patterns for SQLslam and Nachia

Use ACL 4

Apply the ACL 4 to VLAN 2.

6.6.1 Via CLI

A. Create a new ACT to filter on src-IP, dst-IP, IP Protocol Type, TCP src port, TCP dst port, UDP dst port, and TCP Flags. Also add off-set pattern location.



2. Select IP attributes of source IP, destination IP, and IP protocol type

ERS-8610:5# config filter act 1 ip srcIp,dstIp, ipProtoType

3. Select Protocol Attributes of TCP source port, TCP destination port, UDP destination port, and TCP flags

ERS-8610:5# config filter act 1 protocol tcpSrcPort,tcpDstPort, udpDstPort,tcpFlags

4. Add ACT pattern location for SQLslam. For this example, we will start at the beginning of the IP TOS field. The pattern we wish to filter on begins 216 bits (27 bytes, data field) from the beginning of the IP TOS field where the pattern length is 48 bits (6 bytes). We will name the pattern SQLslam. This name will be applied to an ACE with the actual pattern latter on.

ERS-8610:5# config filter act 1 pattern SQLslam add ip-tos-begin 216 48

5. Add ACT pattern location for Nachia. For this example, we will start at the beginning of the IP TOS field. The pattern we wish to filter on begins 224 bits (28 bytes) from the beginning of the IP

http://www.sophos.com/virusinfo/analyses/w32nachia.html

http://www.sophos.com/virusinfo/analyses/w32nachib.html

http://www.sophos.com/virusinfo/analyses/w32blastera.html


78 July 2010

avaya.com

TOS field where the pattern length is 24 bits (3 bytes). This name will be applied to an ACE with the actual pattern latter on.

ERS-8610:5# config filter act 1 pattern Nachia add ip-tos-begin 224 24

6. Enable ACT 1


B. Create ACL 4



2. Add VLAN 2 to ACL 1:

ERS-8610:5# config filter acl 4 add 2

C. Add ACE‘s to ACL 4

1. Add ACE 1 with action of deny stop-on-match for SQLslam and enable statistics. We will add the offset pattern of 040101010101 using ACT pattern named SQLslam configured in Step A, bullet 4 above. Note that we are adding the offset pattern to advanced custom filter 1. A maximum of up to three offset patterns are allowed per ACL.

ERS-8610:5# config filter acl 4 ace 1 create name "ACE-SQLslam"



ERS-8610:5# config filter acl 4 ace 1 ip ip-protocol-type eq udp

ERS-8610:5# config filter acl 4 ace 1 protocol udp-dst-port eq 1434

ERS-8610:5# config filter acl 4 ace 1 advanced custom-filter1 SQLslam eq 040101010101


2. Add ACE 2 with action of deny stop-on-match for Nachia and enable statistics. We will add the offset pattern of aaaaaa using ACT pattern named Nachia configured in Step A, bullet 5 above. Note that we are adding the offset pattern to advanced custom filter 2. A maximum of up to three offset patterns are allowed per ACL.

ERS-8610:5# config filter acl 4 ace 2 create name "ACE-Nachia"



ERS-8610:5# config filter acl 4 ace 2 ip ip-protocol-type eq icmp

ERS-8610:5# config filter acl 4 ace 2 advanced custom-filter2 Nachia eq aaaaaa


3. Add ACE 3 with action of deny stop-on-match for Xmas and enable statistics. We will filter of protocol type of TCP with TCP Flag set with Synchronize, Push, and Urgent.

ERS-8610:5# config filter acl 4 ace 3 create name "ACE-Xmas"




ERS-8610:5# config filter acl 4 ace 3 protocol tcp-flags match-all fin,push,urg


4. Add ACE 4 with action of deny stop-on-match for TCP SynFinScan and enable statistics. Here we will filter of protocol type of TCP with TCP Flag set with Synchronize and Finish.


79 July 2010

avaya.com

ERS-8610:5# config filter acl 4 ace 4 create name "ACE-SynFinScan"




ERS-8610:5# config filter acl 4 ace 4 protocol tcp-flags match-all fin,syn


5. Add ACE 5 with action of deny stop-on-match for TCP FtpPort and enable statistics. Here we will filter of protocol type of TCP with TCP Flag set with Synchronize, TCP src port equals 20, and TCP dst port equal to or less than 1024.

ERS-8610:5# config filter acl 4 ace 5 create name "ACE-FtpPort"





ERS-8610:5# config filter acl 4 ace 5 protocol tcp-dst-port le 1024

ERS-8610:5# config filter acl 4 ace 5 protocol tcp-flags match-all syn


6. Add ACE 6 with action of deny stop-on-match for TCP DnsPort and enable statistics. Here we will filter of protocol type of TCP with TCP Flag set with Synchronize, TCP src port equals 53, and TCP dst port equal to or less than 1024.

ERS-8610:5# config filter acl 4 ace 6 create name "ACE-DnsPort"





ERS-8610:5# config filter acl 4 ace 6 protocol tcp-dst-port le 1024

ERS-8610:5# config filter acl 4 ace 6 protocol tcp-flags match-all syn


6.6.2 Via JDM

A. Create a new ACT to filter on src-IP, dst-IP, IP Protocol Type, TCP src port, TCP dst port, UDP dst port, and TCP Flags. Also add off-set pattern location.

Create a new ACL with type of inport using ACT ID 1

1. Go to Security, select Advanced L2-L7 Filter and then click on ACL. Click on the OK button when prompted with the ‗NOTE: Filter configuration of R-modules only‘ icon.

2. Via the ACT tab, click on Insert. Unless you wish to change the ACL id, leave the default setting which should default to 1 if this is the first ACL configured. Next enter the following:

IpAttrs: srcIp, dstIp, ipProtoType

ProtocolAttrs: tcpSrcPort, tcpDstPort, udpDstPort, tcpFlags

Click on Insert when finished

3. Via the ACT tab, select ACT-1 and click on Pattern. Via the Pattern window, click on Insert to add ACT pattern location for SQLslam. For this example, we will start at the beginning of the IP TOS field. The pattern we wish to filter on begins 216 bits (27 bytes, data field) from the beginning of the IP TOS field where the pattern length is 48 bits (6 bytes). We will name the pattern SQLslam. This name will be applied to an ACE with the actual pattern latter on. Enter the following:

Name: SQLslam


80 July 2010

avaya.com

Base: ipTosBegin

Offset: 216

Length: 48


4. Via the Pattern window, click on Insert to add ACT pattern location for Nachia. For this example, we will start at the beginning of the IP TOS field. The pattern we wish to filter on begins 224 bits (28 bytes) from the beginning of the IP TOS field where the pattern length is 24 bits (3 bytes). This name will be applied to an ACE with the actual pattern latter on.

Name: Nachia

Base: ipTosBegin

Offset: 224

Length: 24


Via the Pattern window, click on Close to go back to the main ACT window

5. Enable ACT-1

Via the main ACT window, under the Apply tab for ACT-1, select true then click on Apply.

B. Create ACL 4

Create a new ACL using ACL ID 4 with type of inVlan using ACT ID 1

1. Go to Security, select Advanced L2-L7 Filter and then click on ACL.

2. Via the ACL tab, click on Insert. Next enter the following:

AclId: 4

ActId: 1

Type: inVlan

VlanList: 2


C. Add ACE‘s to ACL 4

1. Add ACE 1 with action of deny stop-on-match for SQLslam and enable statistics. We will add the offset pattern of 040101010101 using ACT pattern named SQLslam configured in Step A, bullet 3 above. Note that we are adding the offset pattern to Pattern 1. A maximum of up to three offset patterns are allowed per ACL.

Start by clicking on AclId 4 and then clicking on ACE via the ACL tab in the ACL window. Next, click on Insert. The default AceId should be 1. Next, enter the following:

Name: ACE-SQLslam

Mode: deny

StopOnMatch: enable

Flags: count


Setup IP Protocol type of UDP

Via the ACE Common tab, highlight AceId 4, click on IP and Protocol tab. Click on Insert and enter the following:

Oper: eq

List: udp

Click on Insert when completed and then close


81 July 2010

avaya.com

Setup UDP destination port equals 1434

Via the ACE Common tab, highlight AceId 4, click on Proto and UDP Destination Port tab. Click on Insert and enter the following:

Oper: eq

Port: 1434

Click on Insert and then close when completed

Setup offset pattern equals 040101010101

Via the ACE Common tab, highlight AceId 4, click on Adv, and select Pattern 1. Click on Insert and enter the following:

Name: SQLslam

Oper: eq

Value: 040101010101

Click on Insert and then close when completed

NOTE: The ACE name configured is the ACT pattern name configured above.

2. Add ACE 2 with action of deny stop-on-match for Nachia and enable statistics. We will add the offset pattern of aaaaaa using ACT pattern named Nachia configured in Step A, bullet 4 above. Note that we are adding the offset pattern to Pattern 2. A maximum of up to three offset patterns are allowed per ACL.

Via the ACE Common window, click on Insert. The default AceId should be 2. Next, enter the following:

Name: ACE-Nachia

Mode: deny

StopOnMatch: enable

Flags: count


Setup IP Protocol type of ICMP

Via the ACE Common tab, highlight AceId 4 AceId 2, click on IP and Protocol tab. Click on Insert and enter the following:

Oper: eq

List: icmp


Setup offset pattern 2 equals aaaaaa

Via the ACE Common tab, highlight AceId 4 AceId 2, click on Adv, and select Pattern 2. Click on Insert and enter the following:

Name: Nachia

Oper: eq

Value: aaaaaa


NOTE: The ACE name configured is the ACT pattern name configured above.

3. Add ACE 3 with action of deny stop-on-match for Xmas and enable statistics. We will filter on protocol type of TCP with TCP Flag set with Synchronize, Push, and Urgent.


82 July 2010

avaya.com


Name: ACE-Xmas

Mode: deny

StopOnMatch: enable

Flags: count


Setup IP Protocol type of TCP


Oper: eq

List: tcp


Setup TCP Flags to select Push and URG

Via the ACE Common tab, highlight AceId 4 AceId 3, click on Proto, and select TCP Flags. Click on Insert and enter the following:

Oper: matchAll

List: push,urg


4. Add ACE 4 with action of deny stop-on-match for TCP SynFinScan and enable statistics. Here we will filter on protocol type of TCP with TCP Flag set with Synchronize and Finish.


Name: ACE-SynFinScan

Mode: deny

StopOnMatch: enable

Flags: count




Oper: eq

List: tcp


Setup TCP Flags to select Push and URG

Via the ACE Common tab, highlight AceId 4 AceId 4, click on Proto, and select TCP Flags. Click on Insert and enter the following:

Oper: matchAll

List: fin,syn


5. Add ACE 5 with action of deny stop-on-match for TCP FtpPort and enable statistics. Here we will filter on protocol type of TCP with TCP Flag set with Synchronize, TCP src port equals 20, and TCP dst port equal to or less than 1024.


83 July 2010

avaya.com


Name: ACE-FtpPort

Mode: deny

StopOnMatch: enable

Flags: count




Oper: eq

List: tcp


Setup TCP source and destination ports

Via the ACE Common tab, highlight AceId 4 AceId 5, click on Proto, and select TCP Source Port. Click on Insert and enter the following:

Oper: eq

List: 20


Con‘t via the Proto tab, select TCP Destination Port. Click on Insert and enter the following:

Oper: eq

List: 1024


Setup TCP Flags to select SYN

Con‘t via the Proto tab, and select TCP Flags. Click on Insert and enter the following:

Oper: matchAll

List: syn


6. Add ACE 6 with action of deny stop-on-match for TCP DnsPort and enable statistics. Here we will filter on protocol type of TCP with TCP Flag set with Synchronize, TCP src port equals 53, and TCP dst port equal to or less than 1024.


Name: ACE-DnsPort

Mode: deny

StopOnMatch: enable

Flags: count




Oper: eq


84 July 2010

avaya.com

List: tcp


Setup TCP source and destination ports

Via the ACE Common tab, highlight AceId 4 AceId 6, click on Proto, and select TCP Source Port. Click on Insert and enter the following:

Oper: eq

List: 53


Con‘t via the Proto tab, select TCP Destination Port. Click on Insert and enter the following:

Oper: eq

List: 1024


Setup TCP Flags to select SYN

Con‘t via the Proto tab, and select TCP Flags. Click on Insert and enter the following:

Oper: matchAll

List: syn


7. Enable all ACE‘s


6.7 Configuration Example – Port Mirror with ACL’s

In this configuration example, we wish to accomplish the following:

Enable the ability to port mirror any port from VLAN 220

Use port 3/48 as the monitoring port

Setup an ACL so that only TCP traffic with a port range from 20 to 500 and ICMP frames are mirrored to the monitoring port

NOTE: The R-modules have a port mirror restriction allowing for only one port to be mirrored per lane. There are no restrictions in regards to the monitor port. Please refer to the following chart.


85 July 2010

avaya.com

Module Number of LANEs Maximum Mirror Ports

8630GBR 3 1 port from each group of 10 ports.

o 1 port from ports 1-10 o 1 port from ports 11-20 o 1 port from ports 21-30

8648GTR 2 1 port from each group of 24 ports

o 1 port from ports 1-24 o 1 port from ports 25-48

8683ZR/ZW

8683XZR

3 Can mirror all 3 ports

Please follow the steps below to setup port mirror and filtering on the above criteria.

ERS8610-B:5# config diag mirror-by-port 1 create in-port 3/25 out-port 3/48 mode bothFilter enable true

6.7.1 Via CLI

A. Create a new ACT to filter on ICMP frames and TCP dst-port:



2. Select IP attributes of source IP and IP protocol type

ERS-8610:5# config filter act 2 ip ipProtoType

3. Select Protocol Attributes of TCP source port, TCP destination port, and UDP destination port

ERS-8610:5# config filter act 2 protocol tcpDstPort

4. Enable ACT 1


B. Create ACL 1:






1. Add ACE 1 with action of permit to mirror icmp traffic:

ERS-8610:5# config filter acl 1 ace 1 create name icmp


ERS-8610:5# config filter acl 1 ace 1 debug mirror enable

ERS-8610:5# config filter acl 1 ace 1 ip ip-protocol-type eq icmp



86 July 2010

avaya.com

2. Add ACE 2 with action of permit to mirror TCP traffic with a destination port range from 20 to 500

ERS-8610:5# config filter acl 1 ace 2 create name tcp_range


ERS-8610:5# config filter acl 1 ace 2 debug mirror enable


ERS-8610:5# config filter acl 1 ace 2 protocol tcp-dst-port eq 20-500


D. Enable port mirror:

ERS-8610:5# config diag mirror-by-port 1 create in-port 3/25 out-port 3/48 mode bothFilter enable true


87 July 2010

avaya.com

6.7.2 Via JDM

A. Create ACT 2

Create a new ACT to filter on ICMP frames and TCP dst-port.

1. Go to Security>Data Path, click on Advanced Filters<ACE/ACLs), and select ACT. When prompted with the ‗NOTE: Filter configuration of R-modules only‘ dialog box, click on OK.


IpAttrs: ipProtoType

ProtocolAttrs: tcpDstPort



B. Create ACL 1

1. Via the ACL tab, click on Insert. Assuming there are no ACLs already configured, ACL 1 will automatically come up. Next enter the following:

ActId: (2) ACT-2

Type: inVlan



1. Add ACE 1 with action of mirror .


88 July 2010

avaya.com

Start by clicking on AclId 1and then clicking on ACE via the ACL tab in the ACL window. Next, click on Insert. The default AceId should be 1. If you do not enter a name, a default name of ACE-1 will be used. Next, enter the following:

AceId: 1

Name: icmp

Mode: permit

Flags: mirror


Select protocol type icmp

Via the ACE Common tab, highlight AceId 1, click on IP and click on Protocol tab. Click on Insert and enter the following:

Oper: eq

List: icmp


2. Add ACE 2 with action of mirror.

Start by clicking on Insert via the ACE Common tab. The default AceId should be 2. Next, enter the following:

AceId: 2

Name: tcp_range

Mode: permit

Flags: mirror


Select protocol type TCP

Via the ACE Common tab, highlight AceId 2, click on IP and click on Protocol tab. Click on Insert and enter the following:

Oper: eq

List: tcp


Add TCP port range

Via the ACE Common tab, highlight AceId 2, click on Proto and click on TCP Destination Port tab. Click on Insert and enter the following:

Oper: eq

Port: 20-500


Next, make sure you enable ACE 1 and ACE 2 by selecting enable under the AdminState window.


89 July 2010

avaya.com

7. Appendix A – Configuration Files

7.1 From Example 6.1

#

# R-MODULE FILTER CONFIGURATION

#

filter act 1 create

filter act 1 ip srcIp,ipProtoType

filter act 1 protocol tcpSrcPort,tcpDstPort,udpDstPort

filter act 1 apply

filter acl 1 create inVlan act 1

filter acl 1 vlan add 200

filter acl 1 ace 1 action deny stop-on-match true

filter acl 1 ace 1 debug count enable

filter acl 1 ace 1 ip ip-protocol-type eq udp

filter acl 1 ace 1 protocol udp-dst-port eq tftp

filter acl 1 ace 1 enable

filter acl 1 ace 2 action permit remark-dscp phbcs2 stop-on-match true


filter acl 1 ace 2 ip src-ip eq 10.1.1.2-10.1.1.3

filter acl 1 ace 2 ip ip-protocol-type eq tcp

filter acl 1 ace 2 protocol tcp-src-port eq 80







filter acl 1 ace 4 action permit remark-dscp phbcs1 stop-on-match true


filter acl 1 ace 4 ip src-ip ge 0.0.0.0



90 July 2010

avaya.com


#

# QOS CONFIGURATION

#

qos policy 1 create peak-rate 2000 svc-rate 1000 lanes 7/3 name "POLICY-1"

#

# VLAN CONFIGURATION

#

vlan 1 ports remove 4/1-4/30,7/1-7/30 member portmember

vlan 2 create byport 1 color 1

vlan 2 ports remove 4/1-4/30,7/1-7/28 member portmember

vlan 2 ports add 7/29-7/30 member portmember

#


#

filter act 1 create

filter act 1 protocol tcpDstPort,udpDstPort

filter act 1 apply



filter acl 1 ace 1 create name "UDP_Range"

filter acl 1 ace 1 action permit remark-dscp phbaf41


filter acl 1 ace 1 protocol udp-dst-port eq 1124-1784


filter acl 1 ace 2 create name "Police_1"

filter acl 1 ace 2 action permit remark-dscp phbaf11 police 1


filter acl 1 ace 2 protocol tcp-dst-port eq 20-21



91 July 2010

avaya.com


#

# QOS CONFIGURATION

#

qos egress-queue-set 2 queue 0 set min-rate 40





qos egress-queue-set 2 queue 62 set max-rate 10

qos egress-queue-set 2 apply


#


#

filter acl 1 create inPort act 4083

filter acl 1 port add 7/26-7/29

filter acl 1 ace 1 action permit

filter acl 1 ace 1 ethernet dst-mac eq ff:ff:ff:ff:ff:ff

filter acl 1 ace 1 arp operation eq arprequest


filter acl 1 ace 2 action deny


filter acl 1 ace 2 arp operation eq arprequest




filter acl 1 ace 3 advanced custom-filter1 p1 eq 0a011901




filter acl 1 ace 4 advanced custom-filter2 p2 eq 0a011901


filter acl 1 ace 5 action permit

filter acl 1 ace 5 arp operation eq arpresponse



92 July 2010

avaya.com


#


#

filter act 1 create

filter act 1 ip srcIp,dstIp,ipProtoType

filter act 1 protocol tcpSrcPort,tcpDstPort,udpDstPort,tcpFlags

filter act 1 pattern SQLslam add ip-tos-begin 216 48

filter act 1 pattern Nachia add ip-tos-begin 224 24

filter act 1 apply



filter acl 4 ace 1 create name "ACE-SQLslam"



filter acl 4 ace 1 ip ip-protocol-type eq udp

filter acl 4 ace 1 protocol udp-dst-port eq 1434

filter acl 4 ace 1 advanced custom-filter1 SQLslam eq 040101010101


filter acl 4 ace 2 create name "ACE-Nachia"



filter acl 4 ace 2 ip ip-protocol-type eq icmp

filter acl 4 ace 2 advanced custom-filter2 Nachia eq aaaaaa


filter acl 4 ace 3 create name "ACE-Xmas"




filter acl 4 ace 3 protocol tcp-flags match-all push,urg


filter acl 4 ace 4 create name "ACE-SynFinScan"




filter acl 4 ace 4 protocol tcp-flags match-all fin,syn


filter acl 4 ace 5 create name "ACE-FtpPort"


93 July 2010

avaya.com





filter acl 4 ace 5 protocol tcp-dst-port le 1024

filter acl 4 ace 5 protocol tcp-flags match-all syn


filter acl 4 ace 6 create name "ACE-DnsPort"





filter acl 4 ace 6 protocol tcp-dst-port le 1024

filter acl 4 ace 6 protocol tcp-flags match-all syn



94 July 2010

avaya.com

8. Appendix B – Pre-Defined ACT List

ERS-8610:5# show filter act

================================================================================

ACT Table (Part I)

================================================================================

Id ActName Ethernet Ip Protocol Arp

--------------------------------------------------------------------------------

4082 IP Media filters ACT none dscp tcpSrcPort none

udpSrcPort

tcpDstPort

udpDstPort

4083 Arp-Spoof_Layer_2 ACT dstMac none none operation

4084 Mac Src/Dst & ARP ACT srcMac none none operation

dstMac

4085 Mac Src/Dst & IP ACT srcMac srcIp none none

dstMac dstIp

4086 IP Options ACT none srcIp none none

dstIp

ipOptions

4087 IP Fragmentation ACT none srcIp none none

dstIp

ipFragFlag

4088 DSCP ACT none srcIp none none

dstIp

dscp

4089 UDP ACT none srcIp udpSrcPort none

dstIp udpDstPort

4090 TCP ACT none srcIp tcpSrcPort none

dstIp tcpDstPort


95 July 2010

avaya.com

tcpFlags

4091 IP Sa/Da, Protocol ACT none srcIp none none

dstIp

ipProtoType

4092 IP Sa & Da ACT none srcIp none none

dstIp

4093 Arp ACT none none none operation

4094 Mac Src-Dst,Ether ACT srcMac none none none

dstMac

etherType

4095 Mac Src-Dst,Ether,Dot1p ACT srcMac none none none

dstMac

etherType

vlanTagPrio

4096 IP Ping-Snoop ACT none srcIp icmpMsgType none

dstIp


96 July 2010

avaya.com

9. Appendix C – QoS Details

9.1 Ethernet 802.1Q Tag in Ethernet Header

Figure 15: 802.1Q Ethernet Header

• 802.1p User Priorities (8 traffic classes)

• Map 802.1p to queues

• DSCP mapped to/from 802.1p User Priorities

• VLAN ID used to group users with similar requirements

• Filter on VLAN ID

• Filter on MAC address range


97 July 2010

avaya.com

9.2 DiffServ: QoS at Layer 3

Figure 16: DiffServ Code Point

0 1 2 3 4 5 6 7

• DSCP Marking

— Differentiated Services Codepoint, six bits of the DS field are used to select the

PHB that packet experiences at each node 64 possible code points

Drop Precedence Class 1 Class 2 Class 3 Class 4

Low 001010 010010 011010 100010

Medium 001100 010100 011100 100100

High 001110 010110 011110 100110

1 0 1 1 1 0 CU

More IP Header

IP Header

Version

4 bits

Length

4 bits

TOS

8 bits

Total Length

16 bits

DSCP

Codepoint Space XXXXX0 XXXX11 XXXX01

USE Defined Code Points Experimental or Local use Future Defined Code Points


98 July 2010

avaya.com

9.3 Ethernet Routing Switch (ERS) 8600 DSCP ToS/IP Mapping

Table 10: PP8600 DSCP ToS/IP Mapping

DSCP TOS IP

Precedence

Binary ADSSC PHB

0x0 0x0 0 000000 00 Standard CS0

0x0 0x0 - 000000 00 DE

0x8 0x20 1 001000 00 Bronze CS1

0xA 0x28 - 001010 00 AF11

0x10 0x40 2 010000 00 Silver CS2

0x12 0x48 - 010010 00 AF21

0x18 0x60 3 011000 00 Gold CS3

0x1A 0x68 - 011010 00 AF31

0x20 0x80 4 100000 00 Platinum CS4

0x22 0x88 - 100010 00 AF41

0x28 0xA0 5 101000 00 Premium CS5

0x2E 0xB8 - 101110 00 EF

0x30 0xC0 6 110000 00 Network CS6

0x38 0xE0 7 111000 00 Critical CS7

DSCP and TOS are in HEX

IP Precedence in decimal

ADSSC: Ayaya Data Solutions Service Class PHB: Per Hop Behavior


99 July 2010

avaya.com

10. Appendix D – Hardware Overview

Redundant and load-sharing CPU/Switch Fabrics for up to 512 GIG of switching throughput (380Mpps)

Up to 3 CPUs per Control Plane

I/O blades with ingress and egress Route-Switch-Processors per 10GIG lane for line speed ingress/egress packet manipulation (filtering, bridging, routing, MPLS)

CLUE radix lookup table

FOQ for enhanced Queue management

Power PC 333 Mhz

256 Mb DRAM

System OPID

TAPMUX FSWIP

FFAD FFAD FFAD FFAD

Switch Fabric (SFF) Slot 5

Power PC 333 Mhz

SuperMezz Power PC 1GHz (optional)

256 Mb DRAM

256 Mb DRAM

Power PC 333 Mhz

256 Mb DRAM

System OPID

TAPMUX FSWIP

FFAD FFAD FFAD FFAD

Power PC 333 Mhz

256 Mb DRAM

256 Mb DRAM SuperMezz

Power PC 1GHz (optional)

Switch Fabric (SFF) Slot 6

FTAPMUX

INTERFACE PORT(S) 10x1GIG , 1x10GIG

I/0 Service Module

RSP

CLUE Lookup Table

RSP RS

P RSP RS

P RSP

INTERFACE PORT(S) 10x1GIG , 1x10GIG

INTERFACE

CO

Processor

FeedbackOutput Queuing

PIM IOM

10GIG 10GIG 10GIG

Full Duplex

10 GIG LANE

10GIG 10GIG

10GIG

RRSS

PP22..

55

RRSS

PP22..

55

RRSS

PP22..

55

RRSS

PP22..

55

RRSS

PP22..

55

RRSS

PP22..

55

F2E F2I F2E F2I F2E F2I

PORT(S) 10x1GIG , 1x10GIG


100 July 2010

avaya.com

11. Software Baseline:

Software level of Ethernet Routing Switch (ERS) 8600 used for this document is based on release 4.0.


101 July 2010

avaya.com

Reference Documentation:

Document Title Publication Number Description

Configuring QoS and Filtering

for Ethernet Routing Switch (ERS) 8600 R Modules

318637-A Rev 00


102 July 2010

avaya.com

12. Customer service

Visit the Avaya Web site to access the complete range of services and support that Avaya provides. Go to www.avaya.com or go to one of the pages listed in the following sections.

12.1 Getting technical documentation

To download and print selected technical publications and release notes directly from the Internet, go to www.avaya.com/support.

12.2 Getting product training

Ongoing product training is available. For more information or to register, you can access the Web site at www.avaya.com/support. From this Web site, you can locate the Training contacts link on the left-hand navigation pane.

12.3 Getting help from a distributor or reseller

If you purchased a service contract for your Avaya product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

12.4 Getting technical support from the Avaya Web site

The easiest and most effective way to get technical support for Avaya products is from the Avaya Technical Support Web site at www.avaya.com/support.

Documents

Filters and QoS for ERS 8600 R- Series Modules Technical