Filter&Qo S

Product Name Ethernet Routing Switch
Product Number 8600 R-Series
> Technical Configuration Guide

for Ethernet Routing Switch 8600 R-
Series Modules Filters and QoS
Enterprise Network Engineering

Document Date: March 21, 2005
Document Version: 1.0
ERS8600 Technical Config Guide for R-Module Filters and QoS Version 1.0 March 2005
Copyright © 2005 Nortel Networks

All rights reserved. March 2005
The information in this document is subject to change without notice. The statements,
configurations, technical data, and recommendations in this document are believed to be
accurate and reliable, but are presented without express or implied warranty. Users must
take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may
be used only in accordance with the terms of that license.
Trademarks
Nortel, the Nortel logo, the Globemark, Unified Networks, PASSPORT and BayStack are
trademarks of Nortel Networks.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate.
All other Trademarks are the property of their respective owners.
Nortel Networks External Distribution 1

Table of Contents
1. OVERVIEW: R-MODULE FILTER SPECIFICATIONS ................................................... 4
1.1 ACCESS CONTROL TEMPLATES (ACT) ................................................................................ 5
1.2 ACCESS CONTROL ENTRY (ACE) ........................................................................................ 7
1.3 ACCESS CONTROL LISTS (ACL) ........................................................................................ 10
2. CONFIGURING ACLS.......................................................................................................... 11
2.1 ACT – ACCESS CONTROL TEMPLATES .............................................................................. 11
2.2 ACL .................................................................................................................................. 13
2.3 ACE – ACCESS CONTROL ENTRY ...................................................................................... 16
3. R-MODULE QUEUING......................................................................................................... 20
3.1 OVERVIEW......................................................................................................................... 20
3.2 DEFAULT PACKET QOS TO EGRESS QUEUE MAPPING ....................................................... 21
3.3 DEFAULT INGRESS P-BIT TO INTERNAL QOS LEVEL AND EGRESS QUEUE MAPPING .......... 22
3.4 GIGABIT ETHERNET DEFAULT INGRESS DSCP TO EGRESS QUEUE MAPPING .................... 22
3.5 EGRESS TRAFFIC SHAPING ................................................................................................ 23
3.6 QUEUE SET CONFIGURATION COMMANDS ........................................................................ 26
4. INGRESS TRAFFIC POLICING ......................................................................................... 32
4.1 POLICING CONFIGURATION ............................................................................................... 33
5. QOS CONCEPTS.................................................................................................................... 35
5.1 CHANGING THE DIFFSERV PORT TYPE .............................................................................. 35
5.2 L2 AND L3 TRUSTED AND UNTRUSTED PORTS .................................................................. 35
5.3 QOS FOR R-MODE MODULES ............................................................................................ 45
5.4 CHANGING THE DEFAULT PORT OR VLAN QOS LEVELS .................................................. 46
5.5 ADDING A MAC QOS LEVEL............................................................................................. 47
6. CONFIGURATION EXAMPLES ......................................................................................... 48
6.1 CONFIGURATION EXAMPLE 1: MARKING AND DROPPING TRAFFIC ................................... 48
6.2 CONFIGURATION EXAMPLE 2: FILTER RANGES AND POLICING.......................................... 58
6.3 CONFIGURATION EXAMPLE 3: SETTING EGRESS QUEUE WEIGHT AND SHAPING RATE ..... 62
6.4 CONFIGURATION EXAMPLE – CHANGING EGRESS PORT SHAPER ...................................... 66
6.5 CONFIGURATION EXAMPLE – DENY ARP/MAC SPOOFING ATTACK IN A LAYER 2
ENVIRONMENT ............................................................................................................................... 67
6.6 CONFIGURATION EXAMPLE – DOS ATTACKS .................................................................... 72
7. APPENDIX A – CONFIGURATION FILES ....................................................................... 81
7.1 FROM EXAMPLE 6.1........................................................................................................... 81
7.2 FROM EXAMPLE 6.2........................................................................................................... 81
7.3 FROM EXAMPLE 6.3........................................................................................................... 82
7.4 FROM EXAMPLE 6.4........................................................................................................... 82
7.5 FROM EXAMPLE 6.6........................................................................................................... 82
8. APPENDIX B – PRE-DEFINED ACT LIST ........................................................................ 84
9. APPENDIX C – QOS DETAILS ........................................................................................... 85
9.1 ETHERNET 802.1Q TAG IN ETHERNET HEADER ................................................................. 85
9.2 DIFFSERV: QOS AT LAYER 3 ............................................................................................. 86
9.3 ERS 8600 DSCP TOS/IP MAPPING ................................................................................... 86
10. APPENDIX D – HARDWARE OVERVIEW....................................................................... 87

11. SOFTWARE BASELINE:...................................................................................................... 88

12. REFERENCE DOCUMENTATION: ................................................................................... 88
List of Figures
Figure 1: ACT, ACL, and ACE Relationship...........................................................................4
Figure 2: Egress Traffic Shaping ..........................................................................................23
Figure 3: Ingress Policing (L2-L7) ........................................................................................32
Figure 4: DiffServ Network Model.........................................................................................35
Figure 5: Diffserv Access Mode – 802.1p Override..............................................................38
Figure 6: DiffServ Core Mode – 802.1p Override Enabled ..................................................39
Figure 7: DiffServ Core Ports – 802.1p Override Disable ....................................................40
Figure 8: DiffServ Access Mode – 802.1p Override Disabled..............................................41
Figure 9: DiffServ Disabled...................................................................................................42
Figure 10: Access Control Lists............................................................................................43
Figure 11: Access Control Lists Continued ..........................................................................44
Figure 12: Example 1 Diagram.............................................................................................48
Figure 13: Filter Ranges and Policing ..................................................................................58
Figure 14: Deny ARP/MAC Spoofing Attack ........................................................................67
Figure 15: 802.1Q Ethernet Header .....................................................................................85
Figure 16: DiffServ Code Point.............................................................................................86
List of Tables
Table 1: ACT Attributes........................................................................................................6
Table 2: Global ACL Actions ...............................................................................................8
Table 3: Ethernet Interface Type Default Internal QoS Mapping ...................................21
Table 4: Default p-bit Interface Internal QoS Level and Egress Queue Mapping ........22
Table 5: L2 and L3 Trusted Port Actions .........................................................................36
Table 6: L2 and L3 Untrusted Port Actions......................................................................37
Table 7: L2 Trusted and L3 Untrusted Port Actions .......................................................37
Table 8: L2 Untrusted and L3 Trusted Port Actions .......................................................37
Table 9: QoS Features Supported ....................................................................................45
Table 10: PP8600 DSCP ToS/IP Mapping .........................................................................86

1. Overview: R-Module Filter

Specifications
The ERS 8600 in release 4.0 supports Access Control Lists (ACLs) for filtering.
The implementation of ACL’s is only applicable to the new R-modules. None of the
legacy Passport 8600 filters are supported on the R-modules likewise none of the
ACLs are supported on the legacy modules.
VLAN Port
ACT-1 ACT-2
Ingress Ingress Egress

ACL-1 ACL-3 ACL-2
ACE-N ACE-N
ACE-3 ACE-3
ACE-2 ACE-2
ACE-1 ACE-1
ACE has list
of ports and MLTs
Figure 1: ACT, ACL, and ACE Relationship
ACLs are supported for both ingress and egress and can be applied to a port or a
VLAN. Hence, four types of ACLs are supported, two for ingress port or VLAN and
two for egress port or VLAN. Up to 2000 ACEs can be configured per port for
ingress and egress (1000 VLAN and 1000 port).
An ACL is made up of a list of filter rules called Access Control Entry’s (ACEs) that
define a pattern found in a packet with a desired behavior for these packets. An
ACE supports various operations such as range, equal, greater, less, not, wildcard
or pattern match. As a packet comes through an interface configured with an ACL,
the matching ACEs are scanned for that packet and the corresponding actions for
those ACEs are applied according to their precedence.

1.1 Access Control Templates (ACT)

ACTs are used to pick the attributes and pattern information that will be used in the
ACEs of a particular ACL. In release 4.0, you can create a new ACT or use one of
the many pre-defined ACT’s. The pre-defined ACT’s can be viewed via Device
Manager or CLI. These ACTs can be used by one or more ACL’s. Once the ACL is
created with a particular ACT, the user will not be able to modify the ACT. ACT
Ids, from 1 to 4096, are used throughout the system and an optional ACT name
can also be specified.
An ACT can only be deleted when no ACLs are using that ACT.
The ACT can also contain pattern parameters used for offset filtering. When setting
up an ACT for offset filtering, you can specify the base of where in the packet you
wish to start filtering and the offset length.
NOTE: When setting up a new ACT, it is recommended to choose only the
attributes you plan to use when setting up the ACEs. For each additional attribute
included into an ACT, an additional lookup has to be performed. Therefore, to
enhance performance, it is recommended to keep the ACT attribute set as small as
possible. For example, if you plan to filter on source IP, destination IP, and DSCP,
only these IP attributes should be selected when setting up the ACT. Note that the
number of ACE’s within and ACL does not impact performance.
1.1.1 ACT Attributes

The following ACT attributes are supported:
• Arp operation
o If the packet is an Arp packet, then this attribute is used to match on the
ARP operation (arp request or arp response). Only operator supported for
this attribute is “eq”.
• Ethernet Attributes
o Specifies one of the following Ethernet attributes: none, source MAC,
destination MAC, etherType, port, VLAN, or VLAN Tag Priority.
• IP Attributes
o Specifies one or more of the following IP attributes: none, source IP,
destination IP, IP fragmentation flag, IP Options, IP protocol type, or DSCP
• Protocol Attributes
o Specifies one or more of the following Protocol attributes: none, TCP
source port, UDP source port, TCP destination port, UDP destination port,
TCP flags, or ICMP message flags

1.1.2 ACT Attributes for Off-Set Filtering

An ACT can also contain pattern parameters used for offset filtering. If setting up
an ACT pattern for offset pattern matching, you first need to select the base where
to start the off-set filter. Next, you need to select the offset bit position expressed in
bits and the offset length also expressed in bits.
NOTE: Up to three ACT attributes can be configured per ACL. If you required more
than three ACT attributes, a Port and VLAN ACL type can be combined to support
up to six ACT attributes.
NOTE: Although the pattern length for each ACT attribute can be up to 56 bits, two
or three ACT attributes can be combined in an ACT to filter on a pattern length
greater than 56 bits. For example, two ACT attributes can be combined to allow for
filtering on a pattern up to 112 bits.
The following table displays the pattern options available.
Table 1: ACT Attributes
Field Description
Base Specifies one of the following as the user-defined header for the
ACEs of the ACL:
Item Description
etherBegin Beginning of the ethernet packet
macDstBegin Start of mac destination field in the ethernet
header
macSrcBegin Start of source mac field in the ethernet header
ethTypeLenBegin Start of the type/length field in the ethernet
header
arpBegin Beginning of the Hardware Address type field in
the arp packet
ipHdrBegin Beginning of the IP header (version field)
ipOptionsBegin Beginning of the IP options field in the ip
header. This is normally after the IP destination
address. If the packet does not have IP options,
meaning the header length is equal to 5, we do
not apply the filter. The filter will only be applied
if the header length is greater than 5.
ipPayloadBegin Begins right after the IP header. This is after the
IP destination address. If the packet has IP
options, then it is after the ip options plus
padding.
ipTosBegin Beginning of the TOS byte in the IP header
ipProtoBegin Beginning of the IP Protocol Type in the IP
Header (starting with 9th byte )
ipSrcBegin Beginning of the source IP field in the IP header
ipDstBegin Beginning of the destination IP field in the IP
header
tcpBegin Beginning of the source port field in the tcp
header
tcpSrcportBegin Beginning of the source port field in the tcp
header
tcpDstportBegin Beginning of the destination port field in the tcp
header
tcpFlagsEnd End of the tcp flags field in the tcp header
(beginning of the window field)
udpBegin Beginning of the source port field in the UDP

Field Description
header
udpSrcportBegin Beginning of the source port field in the UDP
header
udpDstportBegin Beginning of the destination port field in the
UDP header
etherEnd End of ethernet header
ipHdrEnd End of ip header (after ip options and padding)
icmpMsgBegin Beginning of the ICMP header (type field in the
icmp msg header)
tcpEnd End of tcp header
updEnd End of udp header
Offset Set the offset in bits to the beginning offset of the user-defined field
with the selected header option as a base. Valid values here are
from 0-76800.
Length Sets the number of bits to extract from the beginning of the offset.
Valid values here are from 1-56.
1.2 Access Control Entry (ACE)

ACEs are configured with a set of values along with the actions to be taken if a
packet matches a particular ACE. If an attribute specified in the ACT does not have
a value specified in the ACE, then that attribute value will be treated as a wildcard.
The attributes that can be specified for an ACE are divided into several categories
since they cannot be specified on the same command line. The categories are
Ethernet, Arp, IP, Protocol and Advanced. The actions can be specified by the
“action” and “debug” commands.
The values for the attributes can be specified using several operators like equal-to,
not-equal-to, less-than-or-equal-to, greater-than-or-equal-to. If the equal-to and
not-equal-to operators are used, the user can specify a list and/or a range of
values. A single value has to be specified for the other 2 operators. There are
some special operators that are used with specific attributes. They are match-any,
match-all, prefix-list and any. These operators will be discussed later in this
section.
Since an ACE configuration takes several command lines, the default state of the
ACE when it is created is “disabled”. An explicit “enable” command has to be
issued to enable the ACE. The user will not be able to enable the ACE until at least
the “action” command has been entered. Note that multiple entries for the same
ACE can be entered in one command line using a semicolon “;” between entries.
After the ACE is enabled, the ACE cannot be modified except for the “debug”
actions. The ACE has to be disabled, modified and then re-enabled to make any
modifications.
If L3 and L4 attributes are configured, ACEs are applied to the non-fragments and
the initial fragment of an IP packet.
A maximum of 1000 ingress port ACEs can be configured in an ACL plus a 1000
ingress VLAN ACEs in an ACL per port. The total number of ACE’s that can be
configured is 10,000 ingress and 10,000 egress. Up to 1,000 ingress and 1,000
egress ACE’s can have the count flag enabled.

1.2.1 ACE Actions

An ACL can contain multiple ACEs where each ACE can have a corresponding
action of permit or deny. The default action of permit is applied when there are no
ACE matches for a particular packet. An ACL can also have a global action which
is applied to all ACEs applied to this ACL. The default global action is none. You
can modify the default action and global action at any time.
Table 2: Global ACL Actions
Ingress (port, VLAN-based)
Match criteria Match pattern Action
MAC, p-bits, VLAN tag, Base, offset, and Permit, deny, redirect to next hop, redirect
ARP, IP, TOS, DSCP, length to MLT index, remark-dot1p/DSCP,
TCP, and UDP police, send to egress queue, mirror
count
Egress (port, VLAN-based)
Match criteria Match pattern Action
MAC, p-bits, VLAN tag, Base, offset, and Permit, deny, mirror
ARP, IP, TOS, DSCP, length
TCP, and UDP
Priority
Based on ID (portACL before VlanACL)
If a packet matches multiple ACEs, the non-contradicting actions of all ACEs
according to their precedence (ACE Id) will be taken. If a stop-on-match flag is
specified for an ACE, filtering will stop and the specified action for this ACE will be
taken.
1.2.2 Priority of ACEs

If a packet matches multiple ACEs in an ACL, the actions of the highest priority
ACE will be applied. The actions of the remaining ACEs will be applied only if the
mode is the same as the highest priority ACE, and the actions were non-
overlapping with the highest priority ACE.
Here are a few examples:
Example 1:
ACE 1 - mode permit, actions - police
ACE 2 - mode deny, actions mirror
We apply the actions of only ACE 1.
Example 2:
ACE 1 - mode deny, actions mirror
We apply the actions of only ACE 1
Example 3:
ACE 2 - mode deny, actions - mirror
ACE 3 - mode permit, actions - police, mirror
ACE 4 - mode permit, actions remark-dscp
We apply the actions of ACE 1 and ACE 4

Example 4:
ACE 2 - mode deny, actions - mirror
ACE 3 - mode permit, actions - mirror, stop-on-match
ACE 4 - mode permit, actions remark-dscp
The actions of ACE1 and ACE3 are applied

1.3 Access Control Lists (ACL)

ACLs are used to group filter rules called ACEs. An ACL can be applied to a VLAN
or a Port on the Ingress or Egress. A VLAN or a Port can only be associated with
one Ingress ACL and one Egress ACL.
When an ACL is created, by default, it will come up in the enabled state. If an ACL
is disabled, all ACEs within that ACL will be disabled. When the ACL is re-enabled
again, the ACEs that were enabled previously will get enabled.
If an ACL is deleted, all ACEs within the ACL will also be deleted.
Since both port based and vlan based ACLs are supported, depending on the
configuration, the actions of both ACLs to a particular packet may be applied. In
this case, the port based ACL actions get preference, and will be applied first.
The default action is applied when there are no ACE matches for a particular
packet. The global actions will be applied to all ACEs that match a particular
packet. The default action value is “permit”, and the default global action is “none”.
The default action and global action can be modified anytime.
1.3.1 Priority of ACLs

A user can configure both port based ACLs and vlan based ACLs. It is advisable
to apply only one type of ACL to a packet, however, depending on the
configuration, there may be cases where the actions of both port based ACLs and
vlan based ACLs have to be applied to a packet. In this case, we apply the port
based ACL actions first. We will apply vlan based ACL actions only if the mode is
same as port based ACL and the vlan based ACL has ACEs with non-overlapping
actions with the port based ACL actions.
Here are a few examples:
Example 1:
Port ACL - mode permit, some actions
Vlan ACL - mode deny, some actions
We apply the actions of Port ACL only.
Example 2:
Port ACL:
ACE 1: mode permit, action - police
Vlan ACL :
ACE 1 : mode permit, action – police
ACE 2 : mode permit, action remark-dscp
We apply the actions of port ACL and actions of ACE 2 of VLAN ACL.
Example 3 :
Port ACL:
ACE 1: mode permit, action - police
Vlan ACL :
ACE 1 : mode permit, action - police, remark-dscp
The actions of port ACL are only applied.

2. Configuring ACLs
To configure an ACL, you need to configure the following items in the following
order:
1. Create an ACT or use one of the pre-defined ACT’s
2. Create an ACL using an ACT from Step 1 above.
3. Add the appropriate ACE’s to the ACL created in Step 2 above.
2.1 ACT – Access Control Templates

As pointed out in section 1.1, there are several pre-defined ACT’s available. You
have the choice of using an existing ACT or if you wish, create a new one. To view
the ACT list, enter the following command:
• Passport-8610:5# show filter act
Please see Appendix B showing output from the show filter act command.
To create a new ACT, enter the following command:
• Passport-8610:5# config filter act <act id, 1-4096> ?
Sub-Context: pattern
Current Context:
apply
arp <arp-attributes>
create [name <value>]
delete
ethernet <ethernet-attributes>
info
ip <ip-attributes>
name <value>
protocol <protocol-attributes>
Where:
Field Description
ActId Identifies the ACT bound to this interface. The range is
from 1-4096.
Name Specifies a descriptive, user-defined name for the ACT
entry.
ArpAttrs Specifies one of the following ARP attributes:
• none
• operation
(This is the only valid option for ARP attributes).
EthernetAttrs Specifies one or more of the following Ethernet
attributes:
• none
• srcMac
• dstMac
• etherType
• port
• vlan
• vlanTagPrio

Field Description
IpAttrs Specifies one or more of the following IP attributes:
• none
• scrip
• dstip
• ipFragFlag
• ipOptions
• ipProtoType
• dscp
ProtocolAttrs Specifies one or more of the following protocol
attributes:
• none
• tcpSrcPort
• udpSrcPort
• tcpDstPort
• udpDstport
• tcpFlags
• icmpMsgFlags
Example:
CLI:
For example, assume we wish to add a new ACT to select src and dst MAC,
EtherType, VLAN and VLAN priority.
• Passport-8610:5# config filter act 10 create
• Passport-8610:5# config filter act 10 ethernet srcMac, dstMac,
etherType, vlan, vlanTagPrio
• Passport-8610:5# config filter act 10 apply
Device Manager:
Via Security>Advanced L2-L7 Filter>ACL>ACT>Insert

2.2 ACL
The next step is to create an ACL. This can be accomplished by entering the
following command:
CLI:
• Passport-8610:5# config filter acl <acl-id 1-4096> ?
Sub-Context: ace port set vlan
Current Context:
create <type> act <value> [name <value>]
delete
disable
enable
info
name <value>
• Passport-8610:5# config filter acl <acl-id 1-4096> create ?
create an access control list
Required parameters:
<type> = {inVlan|outVlan|inPort|outPort}
act <value> = access control template ID {1..4096}
Optional parameters:
name <value> = access control list descriptive name {string length
0..32}
Command syntax:
create <type> act <value> [name <value>]
Device Manager:
Via Security>Advanced L2-L7 Filter>ACL>ACL>Insert

Where:
Field Description
AclId Specifies a unique identifier for the ACL entry in the range from
1-4096.
ActId Specifies a unique identifier for the ACT entry in the range from
1-4096.
Type Specifies whether the ACL is VLAN or port-based. Valid
options here are:
• inVlan
• outVlan
• inPort
• outPort
Note: The inVlan and outVlan ACL types drop packets if the
VLAN is added after ACE creation. For VLAN-based filters, you
should ensure that the ACE configuration is set to all of the R
module slots, irrespective of the VLAN's port membership on a
slot.
Name Specifies a descriptive, user-defined name for the ACL entry.
VlanList Identifies an array used to indicate all the VLANs associated
with the ACL entry. Currently, only 4000 VLANs are supported
in the ERS 8000 Series v4.0 software.
PortList Specifies the ports to be added to the ACL entry.
DefaultAction Specifies the action to be taken when none of the ACEs in the
ACL match. Valid options are deny and permit, with permit as
the default.
GlobalAction Indicates action is applied to all ACEs that match in an ACL.
Valid options here are:
• none
• mirror
• count
• mirror-count
State Enables or disables all of the ACEs in the ACL. The default
value is enable
AceListSize Specifies the number of ACEs in a particular ACL.
Example:
CLI:
Continuing from the example in Section 2.1, enter the following to add an ACL
using the ACT from Section 2.1 assuming we wish to filter on ingress ports 8/29
and 8/30:
• Passport-8610:5# config filter acl 10 create inPort act 10
• Passport-8610:5# config filter acl 10 port add 8/29-8/30

Device Manager:
Via Security>Advanced L2-L7 Filter>ACL>ACL>Insert
Click here to select ACT 10
Click here to select ports
Click here if you wish to

mirror or count statistics
Click here when finished

2.3 ACE – Access Control Entry

The final step now is to add the appropriate ACE’s to the ACL created in step 2.2.
This can be accomplished by entering the following command:
• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000>
create
• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> ?
Sub-Context: advanced arp ethernet ip protocol
Current Context:
action <mode> [mlt-index <value>] [remark-dscp <value>]

[remark-dot1p <value>] [police <value>] [redirect-next-hop
<value>] [unreachable <value>] [egress-queue <value>] [stop-on-
match <value>] [egress-queue-nnsc <value>]
create [name <value>]
debug [count <value>] [copytoprimarycp <value>]
[copytosecondarycp <value>] [mirror <value>]
delete
disable
enable
info
name <value

ethernet ?
Sub-Context:
Current Context:
dst-mac <ace-op> <dst-mac-list>

ether-type <ace-op> <ether-type>
info
port <ace-op> <ports>
src-mac <ace-op> <src-mac-list>
vlan-id <ace-op> <vid>[,...]>
vlan-tag-prio <ace-op> <vlan-tag-prio>
• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> arp
?
Sub-Context:
Current Context:
operation <ace-op> <arp-oper-type>

info
• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> ip ?

Sub-Context:
Current Context:
dscp <ace-op> <dscp-list>

dst-ip <ace-op> <dst-ip-list>
info
ip-frag-flag <ace-op> <ip-frag-flag>
ip-options <ace-op>
ip-protocol-type <ace-op> <ip-protocol-type>
src-ip <ace-op> <src-ip-list>


protocol ?
Sub-Context:
Current Context:
icmp-msg-type <ace-op> <icmp-msg-type>
info
tcp-dst-port <ace-op> <tcp-portlist>
tcp-flags <ace-op> <tcp-flags>
tcp-src-port <ace-op> <tcp-portlist>
udp-dst-port <ace-op> <udp-portlist>
udp-src-port <ace-op> <udp-portlist>

advanced ?
Sub-Context:
Current Context:
info
custom-filter1 <pattern1-name> <ace-op> <value>
NOTE: Up to three ACT patterns can be applied to an ACL. If more than three
ACT patterns are required, you can combine a VLAN and a Port ACL to have
up to six patterns.

action ?
update desired action parameters for access control entry
<mode> = deny or permit matching packets
{deny|permit}
mlt-index <value> = MLT index {0..8}
remark-dscp <value> = new phb and dscp for matching packets {0..256} or
{0x0..0x100} or {disable|phbcs0|phbcs1|phbaf11|phbaf12|
phbaf13|phbcs2|phbaf21|phbaf22|phbaf23|phbcs3|phbaf31|
phbaf32|phbaf33|phbcs4|phbaf41|phbaf42|phbaf43|phbcs5|
phbef|phbcs6|phbcs7}
remark-dot1p <value> = new dot1 priority for matching packets {0..8} or

{0x0..0x8} or
{disable|zero|one|two|three|four|five|six|seven}
police <value> = value-id of the template policer {0..16383}

redirect-next-hop <value> = next-hop ip address for redirect mode {a.b.c.d}
unreachable <value> = deny or permit when next-hop is unreachable
{deny|permit}
egress-queue <value> = offset from the base queue number {0..64}

The <value> can be just a single value, 2 values or
3 values.
The three values are for Egress Queue ID for 10/100
card,Egress Queue for 1G card and EgressQueue
for 10Gig card.
If only 1 value is specified, the same value is
applied to all 3 card types.
If 2 values are specified, the first value is applied
to 10/100 card, and the second value is applied to 1G
and 10G cards.
If all 3 values are specified, the 3 values are
applied to 10/100, 1G and 10G respectively.
stop-on-match <flag> = true/false for stop on match

egress-queue-nnsc <value> = Ace egress queue nnsc

{critical|custom|premium|platinum|gold|
silver|bronze|standard|disable}
Command syntax:
action <mode> [mlt-index <value>]
[remark-dscp <value>] [remark-dot1p <value>]
[police <value>] [redirect-next-hop <value>]
[unreachable <value>] [egress-queue <value>]
[stop-on-match <flag>] [egress-queue-nnsc <value>]
Where:
Field Description
AclId Specifies a unique identifier for the ACL entry in the range from
1-4096.
ActId Specifies a unique identifier for the ACT entry in the range from
1-4096.
ACE Advanced
Ace-op Specifies the operators for the ACE pattern used when an ACT
pattern is configured. The custom-filter<1-3>-name selects the
ACT pattern name configured.
<pattern1-name> = hex numeric string for user-defined field

{string length 0..32}
Ace-op : operator for field match condition {eq|le|ge}

ACE ARP, ACL
Operation Specifies the operator for ACE ARP operation. The eq value
specifies an exact match.
Oper-type Specifies whether ACE ARP will be a request, arpRequest, or
response, arpResponse.
ACE Ethernet, ACL
Dst-mac-list List of destination MAC addresses separated by a comma or a
range of MAC addresses specifies as low-high.
Ace-op : operator for field match condition {eq|ne|le|ge}

Ether-type One or more ethertype name/number or {ip|arp|ipx802dot3
|ipx802dot2|ipxSnap|ipxEthernet2|appleTalk| decLat|decOther|
sna802dot2|snaEthernet2|netBios|xns|vines|ipV6|rarp|PPPoE}
Ace-op : operator for field match condition {eq|ne}

Port Specifies port list {slot/port[-slot/port][….]}
Ace-op : operator for field match condition {eq}

Src-mac List of destination MAC addresses separated by a comma or a
range of MAC addresses specifies as low-high.

Vlan-id List of vlans ids {vlan-id[-vlan-id][,...]}

Vlan-tag-prio Specifies VLAN Tag {0..7} or undefined

Field Description
ACE IP, ACL
Dscp Specifies phb name or dscp value {0..256} or {disable|phbcs0|
phbcs1|phbaf11|phbaf12|phbaf13|phbcs2|phbaf21|phbaf22|
phbaf23|phbcs3|phbaf31| phbaf32|phbaf33|phbcs4|phbaf41|
phbaf42|phbaf43|phbcs5|phbcs6|phbef|phbcs7}
Ace-op : match dscp field {eq | ne}

Dst-ip Specifies destination ip address list {a.b.c.d[,w.x.y.z-p.q.r.s]
[,l.m.n.o/mask][,a.b.c.d/len]}

Ip-frag-flag Specifies match option for ip fragments {noFragment|
anyFragment| moreFragment|lastFragment}

Ip-options Specifies specify IP-options attribute of IP header
Ace-op : operator for field match condition {any}

Ip-protocol- Specifies IP protocol type {1..256} or {undefined|icmp|tcp|
type udp|ipsecesp|ipsecah| ospf|vrrp|snmp}

Src-ip Specifies source ip address list {a.b.c.d[,w.x.y.z-p.q.r.s]
[,l.m.n.o/mask][,a.b.c.d/len]}

ACE Protocol, ACL
Icmp-msg- Specifies one or more icmpmsg type {0..255} or {echoreply|
type destunreach|sourcequench|redirect|echo-request|routeradv|
routerselect|time-exceeded|param-problem|timestamp-
request|timestamp-reply|addressmask-request|addressmask-
reply|traceroute}

Tcp-dst-port Specifies destination port for tcp protocol {0..65535} or {echo|
ftpdata|ftpcontrol|ssh|telnet|dns|http|bgp|hdot323|undefined}

Tcp-flags Specifies one or more tcp flags {none|fin|syn|rst|push|ack|urg|
undefined}
Ace-op: operator for field match condition {match-any|match-

all}
Tcp-src-port Specifies source port for tcp protocol {0..65535} or {}

Udp-dst-port Specifies destination port for udp protocol {0..65535} or
{echo|dns| bootpServer|bootpClient|tftp|rip|rtp|rtcp|undefined}

Udp-src-port Specifies source port for udp protocol {0..65535} or {}

3. R-Module Queuing
3.1 Overview
R-modules, by default, have two reserved and pre-configured egress queue
templates based on Nortel Networks Service Classes (NNSC) – please see
http://www.nortelnetworks.com/products/02/bstk/switches/bps/collateral/56058.25_
022403.pdf. In the 4.0 release, one template has 8 queues while the other has up
to 64 queues. In addition to this, a user can add individual egress queue templates
to any port. Overall, the following explains the queue options pertaining to the type
of I/O module used:
• I/O modules with 1 egress port per LANE can utilize all 640 elementary
queues. In the 4.0 software release, 64 out 640 queues per 10GE port are
used. This would apply to the 8683XLR (3-port 10GE) and 8683XZR (3-
port 10GE).
• I/O modules with more than 1 port, but no more than 10 ports per lane can
utilize up to 64 elementary queues per port. This would apply to the
8630GBR (30-port GE) I/O module.
• I/O modules with more than 10 ports per lane support 8 elementary queues
per port. This would apply to the 8648GTR (48-port 10/100/1000) I/O
module.
Each queue within the egress queue is further broken down to one of three queue
styles.
• High Priority Group
o Queues in this group have the highest precedence over other
queues in other groups and are serviced first
o Strict priority is used
o Queues belonging to this group are numbered from queue index
63 and decrements
o Any packet in queue 63 will be serviced first followed by queue 62
in this order
o On trusted ports, incoming packets with 802.1p = 6 or DSCP
CS5/EF are placed in queue 62 by default
o A maximum rate can be configured on a high priority queue to
avoid bandwidth monopoly
• Balanced Queuing Group (Weighted Round Robin)
o Balanced queues are serviced second after traffic from the high
priority queues are serviced
o Queues belonging to the balanced group are serviced by a
weighted round robin scheduler
o Each balanced queue has a minimum rate and maximum rate
where the minimum rate provide a guarantee bandwidth while the
maximum rate provide a maximum rate if no data is serviced on
other queues
o The sum of all minimum rates configured on all queues cannot
exceed 100% - line rate of the port
o Minimum rates are not applicable to High Priority Groups or Low
Priority Groups

• Low Priority Group

o Queues belonging to the low priority group are serviced last as-is
or best effort
o There is no minimum rate associated with a low priority group
Please see section 3.2 showing the egress queue mappings.
Feedback Output Queueing (FOQ)
ERS 8600 Release 4.0 reports congestion for individual egress queues. Feedback
output queuing (FOQ) notifies the ingress ports of congestion ahead so that the
switch fabric doesn’t waste resources forwarding packets or cells that will probably
get dropped. FOQ avoids congestion and packet drops indiscriminate of QoS
flows.
We recommend that you enable FOQ in a system with only R modules. You must
enable R-mode to use FOQ. FOQ is not supported in a system with a mix of
modules (R modules and pre-E, E- or M-modules). Please see section 5.3
regarding R-mode.
3.2 Default Packet QoS to Egress Queue Mapping

Depending on the value of the DSCP/802.1p value, one of eight queues will be
chosen as shown in Table 3 below. Note that they are different for different R-
modules port types. Each queue can be configured in one of three styles listed in
descending order: high priority, balanced, and low priority. Queues in the balanced
group are scheduled using an implementation of Weighted Fair Queuing (WFQ).
Overall, by default, the R-modules support the following service levels:
1. Provide two high priority queues for critical network control and real time
application data, i.e. the highest priority queue for critical traffic and the 2nd
highest priority for Premium traffic.
2. Provide five balanced queues: one for standard network traffic and four for
“metal” (Platinum, Gold, Silver and Bronze) traffic.
3. Provide one low priority queue for Standard (best effort) traffic. This queue is
served after all high priority and weighted queues have been served.
By default, every Power Ranger physical port will be configured with these eight
queues providing for NNSC requirements.
Table 3: Ethernet Interface Type Default Internal QoS Mapping
Internal QOS Fast Ethernet 1GE Queue 10GE Queue NNSC
Level Queue Num/Style Num/Style
Num/Style
0 5/ Low priority 55/ Low priority 55/ Low priority Custom
1 4/ Weighted 4/ Weighted 4/ Weighted Standard/
Default
2 3/ Weighted 3/ Weighted 3/ Weighted Bronze
3 2/ Weighted 2/ Weighted 2/ Weighted Silver
4 1/ Weighted 1/ Weighted 1/ Weighted Gold
5 0/ Weighted 0/ Weighted 0/ Weighted Platinum
6 6/ High Priority 62/ High Priority 62/ High Premium

Priority
7 7/ High Priority 63/ High Priority 63/ High Critical/
Priority Network

3.3 Default Ingress p-bit to Internal QoS Level and

Egress Queue Mapping
Table 4: Default p-bit Interface Internal QoS Level and Egress Queue Mapping
802.1p Internal Egress Queue Q-name
QoS FE GE (Egress Queue set 2)
0 1 4 4 Standard/
Default
1 0 5 55 Custom
2 2 3 3 Bronze
3 3 2 2 Silver
4 4 1 1 Gold
5 5 0 0 Platinum
6 6 6 62 Premium
7 7 7 63 Network/
Critical
3.4 Gigabit Ethernet Default Ingress DSCP to

Egress Queue Mapping
Ingress DSCP Internal Egress PHB Q-name
DSCP DSC ToS QoS Queue (Egress Queue
Dec Hex set 2)
00 00 00 1 4 CS0 Custom
00 00 00 1 4 DE
08 08 20 2 3 CS1 Bronze
10 A 28 2 3 AF11
16 10 40 3 2 CS2 Silver
18 12 48 3 2 AF21
24 18 60 4 1 CS3 Gold
26 1A 68 4 1 AF31
32 20 80 5 0 CS4 Platinum
34 22 88 5 0 AF41
40 28 A0 6 62 CS5 Premium
46 2E B8 6 62 EF
48 30 C0 7 63 CS6 Network/
56 38 E0 7 63 CS7 Critical

3.5 Egress Traffic Shaping

Ingress ACLs assign flows to egress queues
Packet Queues Rate limiter
Scheduler
Ingress Ports Egress Port
Egress Shaping function
Figure 2: Egress Traffic Shaping

For each balanced queue, you can set up a desired minimum rate guarantee and a
maximum rate limit. For each priority queue, either high or low priority, minimum
rate guarantee is not applicable. Only the maximum rate should be configured. The
sum of all the balanced queue guarantees has to be less than the sum of the high
priority queue rate limit (max rate).
3.5.1 High Priority Group – Maximum Rate

All packets in a high priority group are serviced from the highest queue downward.
For a Gigabit Ethernet interface, this implies that queue 63 will be addressed prior
to queue 62.
To ensure that each queue or the whole high priority group does not monopolize all
the bandwidth, a maximum rate can be configured for each high priority queue.
You can increase or decrease the maximum rate on any high priority queue with
the exception of queue 63 (reserved queue) for networks traffic. The ERS 8600
uses queue 63 for all control traffic such as Spanning Tree BPDU’s.
By default, queue 63 is configured with a maximum rate of 5% while queue 62 is
configured for 45%. Note that the maximum rate is expressed in percentage of line
rate for various ports using the same shaper template. You can modify the default
maximum rate if required.
Note that the total sum of the maximum rate for the high priority queues and
minimum rated of the balanced queues must be less-than or equal to 100% to
ensure that the balanced queues get their promised minimum configured rate.
High Queue Max Rate <= [Available Bandwidth – Total Minimum Rates for
Balanced Queues
3.5.2 Balanced Priority Group – Minimum and Maximum Rates

Queues belonging to the balanced group are serviced by a weighted round robin
scheduler. Each queue in the balanced group is assigned a minimum rate and a
maximum rate. The minimum rate is a guarantee to provide at least the percentage
of bandwidth share configured for the queue. For example, on a Gigabit Ethernet
link, if the queue is configured for 10% minimum rate, the queue will guarantee to
get a 100MB from the total available bandwidth. The rate on a particular queue can
go up the maximum rate configured providing there is no traffic to be serviced on
the other queues.
3.5.3 Queue Size

Up to 32K memory pages are supported per LANE. Hence, up to 32K memory
pages are supported per 10GE port or 10 x 1GE ports. Please see Table 4, Default

QoS to Egress Queue Mapping, regarding the default queue size in pages per
egress queue. The default setting can be changed by using the commands shown
in section 3.5.2.
3.5.4 Statistics
Two hardware counters are maintained per every elementary egress queue. These
two counters are total pages and dropped pages where each page represents 512
bytes per page. Hence, for example, a 64 byte packet will consume a 512 byte
memory page.
It should be noted that statistics precision makes it difficult to compare actual
queue output as the statistics does count bytes. If we consider packet sizes fewer
than 512 bytes, each packet will be displayed as one page. However, for packets
greater than 512 bytes, the actual number of pages will be greater than the number
of frames. Taking in consideration the backplane overhead, 512 byte packets will
actually take two pages where each cell holds 144 or 148 bytes of data depending
on whether packer header extension is present.
The statistics can be viewed by using the commands below:
• Passport-8610:5# show qos stats egress-queue-set ?
Sub-Context:
Current Context:
all [verbose]
egress-queue-set <id> [verbose]
port <ports> [verbose]
Example
• Passport-8610:5# show qos stats egress-queue-set egress-queue-set
2
==================================================================
R-Module QOS Shapers Stats Table
==================================================================
Port Qid Total pages Dropped pages Utilization
(512 bytes per page) (512 bytes per page) %
------------------------------------------------------------------
8/1 0 0 0 0
8/1 1 0 0 0
8/1 2 0 0 0
8/1 3 0 0 0
8/1 4 0 0 0
8/1 55 0 0 0
8/1 62 0 0 0
8/1 63 0 0 0
8/2 0 0 0 0
8/2 1 0 0 0
8/2 2 0 0 0
8/2 3 0 0 0
8/2 4 0 0 0
8/2 55 0 0 0
8/2 62 0 0 0
8/2 63 0 0 0
etc.

• Passport-8610:5# show qos stats egress-queue-set port 8/23

=================================================================
R-Module QOS Shapers Stats Table
=================================================================
Port Qid Total pages Dropped pages Utilization
(512 bytes per page) (512 bytes per page) %
-----------------------------------------------------------------
8/23 0 0 0 0
8/23 1 0 0 0
8/23 2 0 0 0
8/23 3 0 0 0
8/23 4 0 0 0
8/23 55 0 0 0
8/23 62 0 0 0
8/23 63 54526 0 100
3.5.5 WRED
In release 4.0, WRED is not supported. WRED will be added in release 4.1.

3.6 Queue Set Configuration Commands

3.6.1 Adding a New Queue Set
As mentioned in Section 3.1, two queue templates are already added by default.
Queue template 1, which supports 8 queues per port, is assigned to I/O modules
with more than 10 ports per lane, i.e. PP8648GTR. Queue template 2, which
supports up to 64 queues per port of which only 8 are used per port, is assigned to
I/O modules with up to 10 ports per lane, i.e. PP8630GBR.
If required, a new egress queue set can be added by using the following command.
• Passport-8610:5# config qos egress-queue-set ?
Sub-Context: port queue
Current Context:
apply
create qmax <value> [balanced-queues <value>] [hipri-
queues <value>] [lopri-queues <value>] [name <value>]
delete
info
name <value>
• Passport-8610:5# config qos egress-queue-set 10 create

Not enough required parameters entered create qos egress queue set
qmax <value> = queue max of 8 or 64 {8|64}
balanced-queues <value> = balanced queues in the template {0..48}
hipri-queues <value> = high priority queues in the template {0..64}
lopri-queues <value> = low priority queues in the template {0..8}
name <value> = name for qos tx queue {string length 0..32}
Command syntax:
create qmax <value> [balanced-queues <value>] [hipri-queues <value>]
[lopri-queues <value>] [name <value>]
NOTE: To take advantage of using a new queue set, ACL’s must be used. The
ACL must be configured with an ACE where upon a filter match; you must select
the queue number.
3.6.1.1 Adding a new Queue Set Configuration Example
For example, let’s assume we wish to create a new queue template, queue-set 3,
with the following number of queues and no shaping:
• Hi priority queues: 1
o Max-rate = 5%
• Low priority queues: 1
o Min-rate = 0%, Max-rate = 100%
• Balance queue: 8
o Queue’s 0, 1, and 2: Min-rate = 10%, Max-rate = 100%
o Queue 3: Min-rate = 20%, Max-rate = 100%
o Queue’s 4 and 5: Min-rate = 15%, Max-rate = 100%
o Queue’s 6, 7 and 5: Min-rate = 15%, Max-rate = 100%
o Queue 55: Max-rate = 100%
o Queue 63: Max-rate = 5%

Enter the following command:

CLI:
• Passport-8610:5# config qos egress-queue-set 3 create qmax 64
balanced-queues 8 hipri-queues 1 lopri-queues 1
• Passport-8610:5# config qos egress-queue-set 3 apply
NOTE: For Gigabit Ethernet ports, the qmax setting is 64 while for 10/100 Fast
Ethernet ports, the qmax setting is 8.
NOTE: You enter the apply command when changing or adding any egress queue
parameter.
NOTE: All balanced queues start at queue 0 and move forwards. All low-priority
queues start at 55 and move backwards - i.e. 55, 54, 53 etc. All high-priority
queues start at queue 63 and moves backwards.
After the queue set has been configured, you will still have to configure the queue
weight for each balanced queue defined by the minimum rate. If required, shaping
can be applied to each queue by defining the maximum rate for each queue. The
new queue-set 3 can be observed by using the following command.
• Passport-8610:5# show qos config egress-queue-set egress-queue-set
3 queues
====================================================================
R-Module QOS Shapers Table
====================================================================
Qid Q-name Q-style min-rate max-rate max-q-length
--------------------------------------------------------------------
0 Queue-0 Bal 10 100 163
1 Queue-1 Bal 0 0 320
2 Queue-2 Bal 0 0 320
3 Queue-3 Bal 0 0 320
4 Queue-4 Bal 0 0 320
5 Queue-5 Bal 0 0 320
6 Queue-6 Bal 0 0 320
7 Queue-7 Bal 0 0 320
55 Queue-55 low-pri 0 0 320
63 Queue-63 high-pri 0 5 163
NOTE: Notice the min-rate and max-rate are not set.

To change the queue minimum and maximum rates, use the following command:
• Passport-8610:5# config qos egress-queue-set 3 queue <1..64> ?
Sub-Context:
Current Context:
set [min-rate <value>] [max-rate <value>] [max-
length <value>]
info
name <value>
• Passport-8610:5# config qos egress-queue-set 3 queue 1 set ?
set queue values:
min-rate <value> = minimum rate in percentage {0..100}
max-rate <value> = maximum rate in percentage {0..100}
max-length <value> = maximum length in pages {0..8000}
{off|low|medium|high} <value>
Command syntax:

set [min-rate <value>] [max-rate <value>] [max-length

<value>]
The following commands change the minimum rate and maximum rates as per
above:
• Passport-8610:5# config qos egress-queue-set 3 queue 1 set min-rate
8 max-rate 100
• Passport-8610:5/config/qos/egress-queue-set/3# queue 2 set min-rate
10 max-rate 100
20 max-rate 100
15 max-rate 100
15 max-rate 100
5 max-rate 100
5 max-rate 100
• Passport-8610:5/config/qos/egress-queue-set/3# queue 55 set max-
rate 100
• Passport-8610:5/config/qos/egress-queue-set/3# apply
NOTE: The sum of the minimum rate for all balanced queues and the max-rate of
the high priority queue cannot exceed 100.
NOTE: You must enter the ‘apply’ command after changing a queue minimum or
maximum rate.
NOTE: The maximum length is as measured in pages as per section 3.5.3.
Queue set 3 should now look like the following:
3 queues
====================================================================
====================================================================
--------------------------------------------------------------------
0 Queue-0 Bal 10 100 163
1 Queue-1 Bal 10 100 320
2 Queue-2 Bal 10 100 320
3 Queue-3 Bal 20 100 320
4 Queue-4 Bal 15 100 320
5 Queue-5 Bal 15 100 320
6 Queue-6 Bal 5 100 320
7 Queue-7 Bal 5 100 320
55 Queue-55 low-pri 0 100 320
Finally, to add port members to the queue set, enter the following command:
• Passport-8610:5# config qos egress-queue-set 3 port add <ports>

Device Manager:
To add a new queue set, follow the instructions below.
Via QoS>Egress Queue Set>Insert
Click here to add port

members
After this queue set has been configured, queue numbers 0 to 8 will automatically
be assigned to the balanced queues, queue numbers 63 will be assigned to the
high queues, and queue number 55 to the low queues.
To change the individual queue setting, follow the instructions below.
Via QoS>Egress Queue Set>Select Queue Set 3>Queue
Enter MinRate and

MaxRate for each queue
Click on Apply when

finished

3.6.1.2 Queue Set Show Commands

To view the queue set, enter the following commands:
a) View all the queue sets
Passport-8610:5# show qos config egress-queue-set all
==========================================================================
==========================================================================
TemplateID Name Total Qs BalQs Hi-priQs lo-priQs Ports
--------------------------------------------------------------------------
1 NNSC8 8 5 2 1
2 NNSC64 8 5 2 1 8/1-8/28
3 set-3 10 8 1 1 8/29-8/30
b) View individual queue set

Passport-8610:5# show qos config egress-queue-set egress-queue-set 3
==========================================================================
==========================================================================
--------------------------------------------------------------------------
3 set-3 10 8 1 1 8/29-8/30
c) View queue set used on a port level

Passport-8610:5# show qos config egress-queue-set port 8/29
==========================================================================
==========================================================================
--------------------------------------------------------------------------
3 set-3 10 8 1 1 8/29-8/30

d) View queue shaper table for queue set 3

queues
==========================================================================
==========================================================================
--------------------------------------------------------------------------
0 Queue-0 Bal 10 100 163
1 Queue-1 Bal 10 100 320
2 Queue-2 Bal 10 100 320
3 Queue-3 Bal 20 100 320
4 Queue-4 Bal 15 100 320
5 Queue-5 Bal 15 100 320
6 Queue-6 Bal 5 100 320
7 Queue-7 Bal 5 100 320
55 Queue-55 low-pri 0 100 320

4. Ingress Traffic Policing
20
2 10
E CI
PI
AF CI
2
AF CI
2
B
Discard
Forwarded
dropped
Figure 3: Ingress Policing (L2-L7)
The ERS 8600 R-modules supports up to 450 policers (50 reserved internally)
available per LANE (per 10 GE port or 10 x 1 GE ports; please see Appendix D for
hardware details). Hence, on a ERS 8683XLR, 8683XZR, or 8630GBR up to 1200
(1350 total) policers are supported per I/O module.
The following options are supported:
• CIR: Service rate
• PIR: Peak information rate
• 3 internal colors to remark packets to
o Red (discard right away)
o Yellow (discard if congestion)
o Green (forward)
• Drop precedence in case of internal congestion
Ingress policing is supported on Port ACLs or VLAN ACLs. Port ACLs apply to
individual port based policers which are members of individual LANEs. VLAN ACLs
apply Global policers which are members of all LANEs.

4.1 Policing Configuration

A policing policy can be setup using the following command:
• Passport-8610:5# config qos policy ?
Sub-Context: lanes
Current Context:
create peak-rate <value> svc-rate <value> [lanes <value>]

[name <value>]
delete
info
modify peak-rate <value> svc-rate <value>
name <value>
• Passport-8610:5# config qos policy 1 create ?

create qos policy
peak-rate <value> = peak rate in Kbs {250..10000000}
svc-rate <value> = service rate in Kbs {250..10000000}
lanes <all | value> = lanes associated with the Policer
account <slot/lane[-slot/lane,slot/lane]
name <value> = name for qos policy {string length
1..32}
Command syntax:
create peak-rate <value> svc-rate <value> [lanes <value>]
[name <value>]
• Passport-8610:5# config qos policy <1..16383>

The following is an example where we wish to have to allow a peak rate of 10,000
Kbs with a service rate of 2,000 Kps.
CLI:
• Passport-8610:5# config qos policy 10 create peak-rate 10000 svc-rate
2000 name policy_1
• Passport-8610:5# config qos policy 10 create peak-rate 10000 svc-rate
2000 lanes 7/3 name policy_1
NOTE: If adding a lane, you can select all lanes (all ports) or a fixed set of ports.
For example, on the 8630, there are a total of three lanes where each lane
represents ten ports (lane 1 for ports 1 to 10, lane 2 for ports 11 to 20, and lane 3
for ports 21 to 30).

Device Manager:
Via QoS>Policy>Policy>Insert

5. QoS Concepts
5.1 Changing the DiffServ Port Type
The ERS 8000 Series Switch implements a DiffServ architecture as defined in RFC
2474 and RFC 2475. The DSCP and the IEEE 802.1p marking found in VLANs are
both used to mark the packet to its appropriate PHB and QoS level, providing layer
2 and layer 3 QoS functionality.
PP8600
Core
Network
Host A Host B
DiffServ DiffServ
core port core port
DiffServ DiffServ
access port access port
Figure 4: DiffServ Network Model
DiffServ Access Port

The DiffServ access port classifies traffic by marking it with the appropriate DSCP.
The classified traffic is assigned to an internal QoS level based on the ACL’s and
traffic policies you enable. ACL’s allow you to set criteria for identifying a microflow
or an aggregate flow by matching on multiple fields in the IP packet.
DiffServ Core Port
The DiffServ core port does not change packet classification or marking done in the
DiffServ access port. The core port preserves the DSCP or IEEE 802.1p bit
marking of all incoming packets and uses these markings to assign the packet to
an internal queue.
The following command is used to enable DiffServ on a port:
• Passport-8610:5# config ethernet <slot/port> enable-diffserv
<true|false>
To change the DiffServ port type, enter the following command:
• Passport-8610:5# config ethernet <slot/port> access-diffserv
<true|false>
5.2 L2 and L3 Trusted and Untrusted Ports

This section contains a series of traffic processing flowcharts, each of which shows
ports configured as trusted and untrusted ports at both the L2 and L3 (DiffServ)
levels. Figure 3 on page 36 shows the DiffServ access mode with the 802.1p
override enabled.
Two separate configuration options are provided in order to configure R-Module
ports as trusted or untrusted at layer2 or layer3 level.

Layer 2 - Trusted and Untrusted Port

A port can be configured as a trusted port (honoring 8021p bits) or as an untrusted
port (overriding incoming 8021p bits) by using the command shown below.
Passport-8610:5# config ethernet <slot/port> 802.1p-override <enable|disable>
• 8021p-override enable ===== > Override incoming 8021p bits
• 8021p-override disable ===== > Honour and Service incoming 8021p bits
8021p-override is disabled in factory default config.
Layer 3 – Trusted and Untrusted Port
A port can be configured as a trusted (Core Port) and untrusted port (Access Port)
at layer3. In order to configure a port as Core or Access port, DiffServ must be
enabled.
Passport-8610:5# config ethernet <slot/port> enable-diffserv <false|true>
Passport-8610:5# config ethernet <slot/port> access-diffserv <false|true>
• access-diffserv = true (Access port) === > Override incoming DSCP bits
• access-diffserv = false(Core port) === > Honour and Service incoming
DSCP bits
DiffServ is disabled in factory default config.
Table 5 through Table 8 on pages 36 and 37 summarize ingress and egress QoS
actions for various types of traffic originating on trusted and untrusted ports.
Table 5: L2 and L3 Trusted Port Actions
Type of traffic Ingress action Egress marking
IP bridged untagged Choose QoS level based on Keep original DSCP value. If the
MAC/Port/VLAN setting. Send to outgoing packet needs to be
the appropriate egress queue. tagged, set 802.1p based on
egress mapping
IP bridged tagged Examine packet 802.1p value, Keep original DSCP value. Keep
assign QoS level based on original 802.1p value if the packet
ingress 802.1p to QoS mapping. was tagged. If it was not tagged,
Send to the appropriate egress but needs to be tagged, set 8021p
queue. based on egress mapping.
IP routed Examine packet DSCP value, Keep original DSCP value. Keep
assign QoS level based on original 802.1p value if the packet
ingress DSCP to WoS mapping. was tagged. If it was not tagged,
Send to the appropriate egress but needs to be tagged, set 8021p
queue. based on egress mapping.
Non-IP tagged Examine packet 802.1p value, Keep original 802.1p value.
assign QoS level based on
ingress 802.1p to QoS mapping.
Send to the appropriate egress
queue.
Non-IP untagged Choose QoS level based on If the outgoing packet needs to be
MAC/Port/VLAN setting. Send to tagged, set 802.1p based on
the appropriate egress queue. egress mapping.

Table 6: L2 and L3 Untrusted Port Actions

IP bridged or routed Ignore packet DSCP and 802.1p Remark DSCP based on QoS to
values. Assign QoS level based DSCP egress map.
on MAC/Port/ VLAN setting.
queue.
Non-IP Ignore packet DSCP and 802.1p Remark 802.1p based on QoS to
values. Assign QoS level based 802.1p egress map.
on MAC/Port/ VLAN setting.
queue.
Table 7: L2 Trusted and L3 Untrusted Port Actions

Tagged Examine packet 802.1p value, Keep original 802.1p and DSCP
assign QoS level based on values.
ingress 802.1p to QoS mapping.
queue.
Untagged Assign QoS level based on Mark 802.1p based on QoS to
MAC/Port/VLAN setting. Send 802.1p egress map. Keep
to the appropriate egress original DSCP value.
queue.
Table 8: L2 Untrusted and L3 Trusted Port Actions

IP bridged or routed Examine packet DSCP value, Keep original DSCP value. Mark
assign QoS level based on 802.1p based on QoS to 802.1p
ingress DSCP to QoS mapping. egress map.
queue.
Non-IP Assign QoS level based on Mark 802.1p based on QoS to
MAC/Port/VLAN setting. Send 802.1p egress map.
to the appropriate egress
queue.

Figure 5: Diffserv Access Mode – 802.1p Override
p-bit untrusted
DSCP untrusted
DiffServ enabled
DiffServ Access port
802.1p-override true
ACL configured with Remark yes Please see Figure 10

DSCP or remark p-bit configured "Access Control Lists"
and filter match?
no
yes
MAC QoS
level defined?
no
Internal QoS equals

Vlan QoS level source MAC
greater than QoS level
Port QoS?
True False
Internal QoS level Internal QoS level

equals DSCP equals port QoS
Remarked Level
yes **Mark
IP?
DSCP
** use internal QoS to DSCP egress map table

no
Egress Port yes ***Remark

Tagged? p-bit
*** use internal QoS to p-bit egress map table

no
Done

Figure 6: DiffServ Core Mode – 802.1p Override Enabled
p-bit untrusted
DSCP trusted
enable-diffserv = true
access-diffserv = false
802.1p-override enable
(DiffServ core port)

and filter match?
no
yes
IP?
no
Mac QoS Use Ingressmap table to

level defined? assign QoS by honoring
no incoming DSCP bits
yes (bridged and routed traffic)
VLAN QoS level

greater than Port
Internal QoS equals
QoS level?
source MAC
QoS level True False

equals VLAN QoS equals port QoS **Mark
level Level DSCP
** use internal QoS to DSCP

egress map table

Tagged? p-bit

no
Done

Figure 7: DiffServ Core Ports – 802.1p Override Disable

p-bit trusted
DSCP trusted
access-diffserv = false
802.1p-override disable
(DiffServ core port)

and filter match?
no
no
IP?
yes
no Ingress no MAC QoS yes

Routed IP?
Tagged? level defined?
yes yes no
Use Ingressmap table to Use Ingressmap table to Internal QoS equals

assign QoS by honoring assign QoS by honoring source MAC
incoming DSCP incoming p-bits QoS level
VLAN QoS level

greater than Port
QoS level?
True False

equals VLAN QoS equals port QoS
level Level
Egress Port yes ***mark

Tagged? p-bit
*** use internal QoS to p-

no bit egress map table
Done

Figure 8: DiffServ Access Mode – 802.1p Override Disabled
p-bit trusted
DSCP untrusted
access-diffserv = true
802.1p-override disable
(DiffServ access port)

and filter match?
no
yes
Ingress Packet
Tagged?
no
Use Ingressmap table to

yes
Mac Qos level assign QoS by honoring
defined? incoming p-bits
(bridged and routed traffic)
no
VLAN QoS level

Internal QoS equals
greater than Port
source MAC
QoS level?
QoS level
True False

level Level

Tagged? p-bit

no
Done

Figure 9: DiffServ Disabled
DiffServ disable

and filter match?
no
p-bit
yes
override
enable?
no Use ingressmap to
assign internal
yes QoS by honoring
Packet
incoming 802.1p bits
Tagged?
for both routing and
no bridging traffic
> Port QoS level
Internal QoS equals yes MAC QoS

source MAC
level defined?
QoS level
no
VLAN QoS level

greater than Port
QoS level?
True False

level Level
If egress port is tagged, use egress QoS to p-bit mapping table to remark p-bit

Figure 10: Access Control Lists
ACL configured with Remark

DSCP or remark p-bit and filter
matched
yes
Action no
Police?
yes
Yes Rate above

Drop Packet
Peak?
No
Rate above Yes Packet

Service Rate? Re-colored
No
Admit Packet
Go to Figure 11 "Access Control Lists con't"

Figure 11: Access Control Lists Continued
Remark no
DSCP?
yes
Remark No
Remark DSCP
802.1p?
yes
No Remap No
Remark
Remark 802.1p Egress Normal QoS
802.1p?
Queue?
Yes Yes
Remark 802.1p
Internal QoS Internal QoS Internal QoS

based on equal or greater based on
DSCP of 802.1p or DSCP 802.1p
Remark Forward packet to Egress

Yes
Egress Queue based on Egress Queue
Queue Filter Action
No
Forward packet to Egress

Queue based on QoS to Egress
Queue Map

5.3 QoS for R-Mode Modules

Release 4.0 contains two different QoS implementations as shown in the table
below. Note the following in relationship to the table below
• Same-type module configurations
o All R-modules with new 8692SF
o All Classical modules with 8692SF for 8690/8691
• Mix-chassis configuration
o Classical modules and R-modules with new 8692SF
• Mixed chassis configuration: Operation in Default/M-mode but features
only available on R-modules
o 3 color 2 bucket ingress Policing
o Advanced Ingress/Egress ACLs
o SMLT/IST on 10GIG
• All R-module chassis configuration: Operating in R-mode
o All features listed above plus
o Advanced QoS with bandwidth reservation capabilities and Egress
Shaping per port/queue
o 256k routes supported
Table 9: QoS Features Supported

Chassis Operation Module-types Features supported on respective modules
Config Modes R M E pre- QoS Filters Policing Shaping
E
Same-type (e=enable/d=disable)
chassis Default - - - e classic classic classic -
- - e - classic classic classic -
M - e - - classic classic classic -
R e - - - advanced advanced advanced advanced
Mixed-type Default e e e e classic classic/ classic/ -
modules adv. On adv. On
chassis R-mod R-mod
e e e e classic classic/ classic/ -
adv. On adv. On
R-mod R-mod
M e e d d classic classic/ classic/ -
adv. On adv. On
R-mod R-mod
R e d d d advanced advanced advanced advanced
NOTE: If R-mode is enabled, a mixture of modules (non-E, E, M, and R) is not
supported. If M-mode is enabled and one or more modules installed in the chassis
is an E module (32,000 table entries), the E modules will be disabled. This protects
the system forwarding tables from lost entries.

5.3.1 Configuring R-mode

To configure the switch for R-mode, use the following commands. Note that after
the switch has been set for R-mode, the configuration should be saved and the
switch must be rebooted.
• Passport-8610:5# config sys set flags ?
Sub-Context:
Current Context:
r-mode <true|false>
m-mode <true|false>
enhanced-operational-mode <true|false>
vlan-optimization-mode <true|false>
info
• Passport-8610:5# config sys set flags r-mode true
• Passport-8610:5# save config
• Passport-8610:5# boot -y
5.4 Changing the Default Port or VLAN QoS Levels

The default port or VLAN QoS levels can be changed to assign a default QoS level
for all traffic providing the packet is not matched by an ACL to remark the packet.
By default, the port and VLAN QoS level is set to 1 (one).
To change to port QoS level, enter the command below:
• Passport-8610:5# config ethernet <slot/port> qos-level ?
set Internal Qos Level for a port
<0...7> = operation {0..7}
Command syntax:
qos-level <0...7>
To change the VLAN QoS level, enter the command below:
• Passport-8610:5# config vlan <vlan #> qos-level ?
set Internal Qos Level for a vlan
<0...7> = operation {0..7}
Command syntax:
qos-level <0...7>

5.5 Adding a MAC QoS Level

A QoS level can also be applied to a source MAC address again providing the
packet is not matched by an ACL to remark the packet. The MAC QoS level can be
modified to a learned MAC address to add to a static MAC enter.
To change the source MAC QoS level to a dynamic learned address, enter the
command below:
• Passport-8610:5# config vlan <vlan #> fdb-entry qos-level ?
set fdb Qos Level
<mac> = mac address {0x00:0x00:0x00:0x00:0x00:0x00}
status <value> = fdb status {other|invalid|learned|self|mgmt}
<0...7> = set qos level 0..7 {0..7}
Command syntax:
qos-level <mac> status <value> <0...7>
To change the source MAC QoS level to a static address, enter the command
below:
• Passport-8610:5# config vlan <vlan #> fdb-static ?
Sub-Context:
Current Context:
add <mac> port <value> qos <value>

info
remove <mac>
For example, to change the source MAC QoS level to 2 for the MAC address
00:00:00:00:01:0a on VLAN 2 via port 7/26, enter the command below:
• Passport-8610:5# config vlan 2 fdb-static add 00:00:00:00:01:0a port
7/26 qos 2

6. Configuration Examples
6.1 Configuration Example 1: Marking and Dropping
Traffic
Server 1
VLAN 200
10.1.1.2
PP8600
Server 2
10.1.1.3
Hosts
Figure 12: Example 1 Diagram

In this configuration example, we wish to accomplish the following:
• Drop tftp traffic
• Allow http server traffic from Server 1 and Server 2 only and mark with
Silver (CS2) service
• Mark all other traffic with Bronze (CS1) service
• Enable Statistics for each filter rule except for all other traffic marked with
Bronze
Please follow the steps below to filter on the above criteria.
6.1.1 Via CLI

A. Create a new ACT to filter on UDP src-port and TCP dst-port, and UDP dst-
port traffic and src-IP.
1. Create a new ACT with ID = 1
2. Select IP attributes of source IP and IP protocol type

• Passport-8610:5# config filter act 1 ip srcIp, ipProtoType
3. Select Protocol Attributes of TCP source port, TCP destination port, and
UDP destination port
• Passport-8610:5# config filter act 1 protocol
tcpSrcPort,tcpDstPort,udpDstPort
4. Enable ACT 1
B. Create ACL 1:
1. Create ACL 1 with type of ingress VLAN:
• Passport-8610:5# config filter acl 1 create inVlan act 1
2. Add ingress VLAN of 200 to ACL 1:

• Passport-8610:5# config filter acl 1 vlan add 200

C. Add ACE’s to ACL 1:
1. Add ACE 1 with action of deny tftp traffic and statistics enabled:
• Passport-8610:5# config filter acl 1 ace 1 create
• Passport-8610:5# config filter acl 1 ace 1 action deny stop-on-
match true
• Passport-8610:5# config filter acl 1 ace 1 debug count enable
• Passport-8610:5# config filter acl 1 ace 1 ip ip-protocol-type eq
udp
• Passport-8610:5# config filter acl 1 ace 1 protocol udp-dst-port eq
tftp
• Passport-8610:5# config filter acl 1 ace 1 enable
2. Set ACE 2 with action of permit to remark DSCP to Silver (CS2) for WEB
servers 10.1.1.2 and 10.1.1.3 for http traffic (TCP src-port 80) and enable
statistics:
• Passport-8610:5# config filter acl 1 ace 2 action permit remark-
dscp phbcs2 stop-on-match true
• Passport-8610:5# config filter acl 1 ace 2 ip src-ip eq 10.1.1.2-
10.1.1.3
• Passport-8610:5# config filter acl 1 ace 2 ip ip-protocol-type eq tcp
• Passport-8610:5# config filter acl 1 ace 2 protocol tcp-src-port eq
80
3. Set ACE 3 to deny WEB traffic from all other hosts, TCP source port 80:
match true
80
4. Set ACE 4 to remark all other traffic to Bronze (CS1):
dscp phbcs1 stop-on-match true
• Passport-8610:5# config filter acl 1 ace 4 ip src-ip ge 0.0.0.0
• Passport-8610:5# config filter acl 1 ace default debug match-count
kbytes-pkts

G. View Filter Statistics

To view the ACE Statistics, enter the following command:
• Passport-8610:5# show filter acl statistics port

===========================================================================
Filter Port Statistics Table
===========================================================================
Acl Acl Acl Ace Port Packets Bytes
Id Name Type Id Num
---------------------------------------------------------------------------
1 ACL-1 inVlan 1 4/19 0 0
4/22 0 0
4/24 0 0
4/25 0 0
4/26 0 0
4/27 0 0
4/28 0 0
2 4/19 0 0
4/22 0 0
4/24 0 0
4/25 0 0
4/26 0 0
4/27 0 0
4/28 0 0
3 4/19 0 0
4/22 0 0
4/24 0 0
4/25 6640253 424976192
4/26 0 0
4/27 0 0
4/28 0 0
4 4/19 50324 3220736
4/22 0 0
4/24 0 0
4/25 219688530
14060065920
4/26 0 0
4/27 225213301
14413651264
4/28 0 0
Displayed 28 of 28 entries

6.1.2 Via JDM

A. Create ACT 1
Create a new ACT to filter on UDP src-port and TCP dst-port, and UDP dst-
port traffic and src-IP.
1. Go to Security, click on Advanced L2-L7 Filter, and select ACL. When
prompted with the ‘NOTE: Filter configuration of R-modules only’ dialog
box, click on OK.
2. Via the ACT tab, click on Insert. You can add an ACT number and name if
you wish for just leave the default settings. The default name in this case
should be ACT-1 – this name will be used in step B when configuring the
ACL. Next, check of the following items:
• IpAttrs: srcIp and ipProtoType
• ProtocolAttrs: tcpSrcPort, tcpDstPort, and udpDstPort
• Click on Insert when completed
3. Finally, via the main ACT window, under the Apply icon, select true. This
step must be complete prior to configuring the ACL.
C. Create ACL 1:
Via the ACL main window, click on the ACL tab and click on Insert. Unless you
wish to change the ACL id, leave the default setting which should default to 1 if
this is the first ACL configured. Next, configure the following
• ActId: Select (1) ACT-1
• Type: inVlan
• Name: ACL-1 (if using the default name)

• VlanList: select (200) VLAN-200

• DefaultAction: permit
• GlobalAction: none
• State: enable

1. Add ACE 1 with action deny tftp traffic and statistics enabled.
Start by clicking on AclId 1and then clicking on ACE via the ACL tab in the
ACL window. Next, click on Insert. The default AceId should be 1. If you do
not enter a name, a default name of ACE-1 will be used. Hence, do not enter
anything in the AceId and Name windows. Next, enter the following:
• Mode: deny
• Flags: Count
• StopOnMatch: enable
• Click on Insert to complete ACE 1 configuration

Select UDP protocol type

Via the ACE Common tab, click on IP and click on Protocol tab. Click on
Insert and enter the following
• Oper: eq
• List: udp
Select UDP port of tftp

Via the ACE Common tab, click on Proto and select the UDP Destination
Port Tab. Click on Insert and enter the following
• Oper: eq
• Port: tftp
2. Add ACE 2 with action of permit http traffic from Server 1 and 2 and remark
to DSCP CS2:
Start by clicking on Insert via the ACE Common tab. The default AceId
should be 2. If you do not enter a name, a default name of ACE-2 will be
used. Hence, do not enter anything in the AceId and Name windows. Next,
enter the following:
• Mode: permit
• RemarkDscp: phbcs2
• Flags: Count
Select Source IP address of Server 1 and 2 and TCP protocol type

Via the ACE Common tab with ACE-2 selected, click on IP and select the
Source Address Tab. Click on Insert and enter the following:
• Oper: eq
• List: 10.1.1.2-10.1.1.3
Next, click the Protocol tab, click on Insert and enter the following:
• Oper: eq
• List: tcp

Select TCP port of http

Via the ACE Common tab, click on IP, select the Protocol Tab, and then
the TCP Source Port tab. Click on Insert and enter the following
• Oper: eq
• Port: 80
3. Set ACE 3 to deny http source traffic from all hosts
• Mode: deny
• Flags: Count
Select UDP protocol type

Via the ACE Common tab, click on IP and click on Protocol tab. Click on
Insert and enter the following
• Oper: eq
• List: tcp
Select TCP source port of http
Via the ACE Common tab, click on Proto and select the TCP Source Port
Tab. Click on Insert and enter the following
• Oper: eq
• Port: 80
4. Set ACE 4 to permit all other traffic and remark to DSCP CS1.
• Mode: permit
• RemarkDscp: phbcs1
Select Source IP address of greater than 0.0.0.0

Via the ACE Common tab, click on IP and click on the Source Address tab.
Click on Insert and enter the following
• Oper: ge
• List: 0.0.0.0

D. Enable all ACE’s

Via the ACE Common tab, make sure all ACE’s are enabled via the
AdminState tab.

6.1.3 Changing the Default Egress Queue

In the configuration above, we simply configured an ACL with two ACEs to remark
the DSCP value upon a filter match. An ACE can also be configured to either select
a NNSC color or Egress Queue number to override the default ingress/egress
queue mapping.
The following command is used to change the default NNSC color:
• Passport-8610:5# config filter acl <value> ace <value> action permit
remark-dscp <value> egress-queue-nnsc <critical|custom|premium|
platinum |gold|silver|bronze|standard|disable>

remark-dot1p <value> egress-queue-nnsc <critical|custom|premium|
platinum|gold|silver|bronze|standard|disable>
The following command is used to change the default NNSC queue number:
remark-dscp <value> egress-queue <0..64>
or
Passport-8610:5# config filter acl <value> ace <value> action permit
remark-dscp <value> egress-queue <0..64>,<0..64>
or
remark-dscp <value> egress-queue <0..64>,<0..64>,<0..64>
remark-dot1p <value> egress-queue <0..64>
or
remark- dot1p <value> egress-queue <0..64>,<0..64>
or
remark- dot1p <value> egress-queue <0..64>,<0..64>,<0..64>
NOTE: The egress queue number can be a single value, 2 values or 3
values. The three values are for Egress Queue ID for 10/100 I/O module,
Queue ID for 1GigE I/O module, and Queue ID for 10GigE I/O module. If only
one value is specified, the same value is applied to all three I/O module
types. If two values are specified, the first value is applied to 10/100 I/O
modules, and the second value is applied to 1 GigE and 10 GigE I/O
modules. If three values are specified, the three values are applied to 10/100,
1 GigE, and 10 GigE I/O modules respectively.
NOTE: If you are not using one of the default queue sets, i.e. queue set 1 or
2, you must use ACL’s to remark and select the appropriate queue.

View Commands:
To view the default QoS Ingress mapping, use the following command:
• Passport-8610:5# show qos ingressmap ?
Sub-Context:
Current Context:
1p [<ieee1p>]
ds [<dscp>]
To view the default QoS Egress mapping, use the following command:
• Passport-8610:5# show qos egressmap ?
Sub-Context:
Current Context:
1p [<level>]
ds [<level>]
To view the default internal QoS to Egress Queue mapping, use the following
command:
• Passport-8610:5# show qos config eqmap <slot number>
To view the QoS level and shaper table, enter the following command:
<1..386> queues
Where queue 1 is the default queue set for the 10/100/1000 I/O module and queue
2 is the default queue set for the GigE and 10 GigE I/O modules. For example, to
view the GigE default queue set, enter the following command:
• Passport-8610:5# show qos config egress-queue-set egress-queue-set 2
queues

6.2 Configuration Example 2: Filter Ranges and

Policing
PP8600
7/29
VLAN 2
7/30
Figure 13: Filter Ranges and Policing

In this configuration example, we wish to perform the following in regard to all users
on VLAN 2
• Platinum service for UDP destination ports 1124 to 1784
• Police all traffic using TCP destination ports 20-21 at CIR = 1Mbps, Peak
Rate = 2Mbps and mark to Bronze Service
6.2.1 Via CLI

A. Create Police Profile
1. Create police policy.
• Passport-8610:5# config qos policy 1 create peak-rate 2000 svc-
rate 1000 lanes 7/3
NOTE: The Lane Members in this example is 7:3 as the ERS 8630 module for
this configuration example is located in slot 7 using port members 7/29 and
7/30. Please see Section 4 for more details.
B. Create a new ACT to filter on UDP dst-port and TCP dst-port:
2. Select Protocol attributes of source IP and IP protocol type

tcpDstPort,udpDstPort
3. Enable ACT 1
C. Create ACL 1:
2. Add ingress VLAN of 2 to ACL 1:
• Passport-8610:5# config filter acl 1 vlan add 2

D. Create ACE’s to ACL 1:

1. Add ACE 1 with action of permit to remark DSCP to AF41 for UDP port
range 1124-1784 and statistics enabled:
• Passport-8610:5# config filter acl 1 ace 1 create name UDP-Range
dscp phbaf41
1124-1784
2. Set ACE 2 with action of permit to remark DSCP to Bronze for TCP ports
20-21 and enable statistics:
• Passport-8610:5# config filter acl 1 ace 2 create name Police_1
dscp phbaf11 police 1
• Passport-8610:5# config filter acl 1 ace 2 protocol tcp-dst-port eq
20-21
6.2.2 Via JDM

A. Create Police Policy
Create a new police policy with a sustained rate of 1M and a peak rate of 2M:
1. Go to QoS, select Policy and then click on Insert. Unless you wish to
change the GrId and Policy Name, leave the default setting of 1 and
POLICY-1 respectively.
2. Next enter the following:
• PeakRate: 2000
• SvcRate: 1000
• LaneMembers: 7:3 (Port 7/21-30)
NOTE: The Lane Members in this example is 7:3 as the ERS 8630 module
for this configuration example is located in slot 7 using port members 7/29
and 7/30. Please see Section 4 for more details.
B. Create ACT 1
Create a new ACT to filter on UDP src-port and TCP src-port.
1. Go to Security, click on Advanced L2-L7 Filter, and select ACL. When
prompted with the ‘NOTE: Filter configuration of R-modules only’ dialog
box, click on OK.
2. Via the ACT tab, click on Insert. You can add an ACT number and name if
you wish for just leave the default settings. The default name in this case
should be ACT-1 – this name will be used in step B when configuring the
ACL. Next, check of the following items:
• ProtocolAttrs: tcpSrcPort and udpSrcPort

3. Finally, via the main ACT window, under the Apply icon, select true. This
step must be complete prior to configuring the ACL.
C. Create ACL 1:
Via the ACL main window, click on the ACL tab and click on Insert. Unless you
wish to change the ACL id, leave the default setting which should default to 1 if
this is the first ACL configured. Next, configure the following:
• ActId: Select (1) ACT-1
• Type: inVlan
• Name: ACL-1 (if using the default name)
• VlanList: select (2) VLAN-2
• DefaultAction: permit
• GlobalAction: none
• State: enable

1. Add ACE 1 with action of permit, remark DSCP to AF41 and statistics
enabled for UDP port range 1124 to 1754.
not enter a name, a default name of ACE-1 will be used. Hence, do not enter
anything in the AceId and Name windows. Next, enter the following:
• Mode: permit
• RemarkDscp: phbaf41
• Flags: Count
Select UDP protocol type and range
Via the ACE Common tab, highlight AceId 1, click on Proto and click on
UDPDestination Port tab. Click on Insert and enter the following:
• Oper: eq
• Port: 1124-1754
2. Add ACE 2 with action of permit, remark DSCP to AF11 and statistics
enabled for TCP port range 20 to 20.
• Mode: permit
• RemarkDscp: phbaf11
• Police: 1
• Flags: Count
Select TCP protocol type and range

Via the ACE Common tab with ACE-2 selected, click on Proto and select
the TCP Destination Port Tab. Click on Insert and enter the following:

• Oper: eq
• Port: 20-21
3. Enable all ACE’s
AdminState tab.

6.3 Configuration Example 3: Setting Egress Queue

Weight and Shaping Rate
As explained in Section 3 above, for a Gigabit Ethernet port on a 8630, by default,
it will use egress queue set 2. The following command displays the default settings
for queue set.
queues
===========================================================================
===========================================================================
---------------------------------------------------------------------------
0 Platinum Bal 10 100 163
1 Gold Bal 10 100 163
2 Silver Bal 5 100 327
3 Bronze Bal 15 100 327
4 Standard(Default) Bal 5 100 980
55 Custom low-pri 0 100 980
62 Premium high-pri 0 50 163
63 Critical/Network high-pri 0 5 163
The min-rate shown also represents the queue weight associated for each CoS
upon congestion.
For this example, we wish to change the default settings for all Gigabit Ethernet
ports for Platinum, Gold, Silver, Bronze CoS. Overall; we wish to accomplish the
following:
• Assign Queue weight for Platinum to 40%
• Assign Queue weight for Gold to 25%
• Assign Queue weight for Silver to 15%
• Assign Queue weight for Bronze to 5%
NOTE: In order to accomplish this, we will also have to re-assign the Premium
maximum queue weight to 10 and change the minimum weight for Standard to 0.
The minimum weight of all balanced queue plus the maximum weight of the
Premium and Critical/Network queues must not exceed 100.
In order to accomplish this task, enter the following commands:
1. First, re-assign Qid 62 max-rate to 10.
• Passport-8610:5# config qos egress-queue-set 2 queue 62 set max-
rate 10
2. Next, re-assign the balanced queues starting with the lowest min-rate first in
order to not exceed the 100 limit.
0
5
15
25
40

3. Apply the changes to queue 2.

After we have configured queue set 2, it should look like the following:

queues
===========================================================================
===========================================================================
---------------------------------------------------------------------------
1 Gold Bal 25 100 163
2 Silver Bal 15 100 327
3 Bronze Bal 5 100 327
Using the above configuration will also allow each balanced queue to forward traffic
up to the maximum rate if there is no congestion. Let’s assume that we also wish to
shape the traffic to the same value as the minimum queue weight.
This can be accomplished by entering the following commands:

5 max-rate 5
15 max-rate 15
25 max-rate 25
40 max-rate 40

queue
===========================================================================
===========================================================================
--------------------------------------------------------------------------
1 Gold Bal 25 25 163

6.3.1 Using Show Commands to Trace Ingress CoS to Egress Queue

Mapping
After completing the configuration example in Section 5.3, we can trace the
increase CoS to egress QoS mapping by using the following show commands. Of
interest, is the mapping for CoS levels Platinum, Gold, Silver, and Bronze.
1. To view the Ingress DSCP and 802.1p Mapping. In this case, we will only show
the mappings for Platinum (AF41, 0x22 or 34), Gold (AF31, 0x1A or 26), Silver
(AF21, 0x12 or 18), and Bronze (AF11, 0xA or 10).
Passport-8610:5# show qos ingressmap ds

========================================================================
Qos Ingress DSCP to QOS-Level Map
========================================================================
DSCP DSCP-bin QOSLEVEL
------------------------------------------------------------------------
10 001010 2
18 010010 3
26 011010 4
34 100010 5
Passport-8610:5# show qos ingressmap 1p

========================================================================
Qos Ingress IEEE 1P to QOS-Level Map
========================================================================
IEEE1P QOSLEVEL
------------------------------------------------------------------------
0 1
1 0
2 2
3 3
4 4
5 5
6 6
7 7
2. Next, to view the QoS Level to Egress Queue Mapping, enter the following
command assuming we have an ERS 8630 Gigabit Ethernet Module in Slot 7.
Passport-8610:5# show qos config eqmap 7

========================================================================
Internal-QOS to Egress Queue Map
========================================================================
Internal QOS Egress Queue
------------------------------------------------------------------------
0 55
1 4
2 3
3 2
4 1
5 0
6 62
7 63

3. Finally, to view the Egress Queue Mapping to CoS level, enter the
following command:
Passport-8610:5# show qos config egress-queue-set egress-queue-set

2 queue
====================================================================
====================================================================
--------------------------------------------------------------------
1 Gold Bal 25 25 163
6.3.2 Changing the Ingress Mapping

If you wish, you can change the QoS ingress mapping by using the following
command:
• Passport-8610:5# config qos ingressmap ?
Sub-Context:
Current Context:
1p <ieee1p> <level>
ds <dscp> <level>
info
Map DS Byte to QOS Level

<dscp> = Diff-Serv Code Point as Index {0..63}
<level> = QOS Level {0..7}
Command syntax:
ds <dscp> <level>
Map IEEE 1p Priority to QOS Level

<ieee1p> = IEEE 1P as Index {0..7}
<level> = QOS Level {0..7}
Command syntax:
1p <ieee1p> <level>

6.4 Configuration Example – Changing Egress Port

Shaper
In addition to supporting egress queue shaping, the R-modules also support egress
port shaping. While egress queue shaping provides shaping per queue, port
shaping provides shapes all outgoing traffic to a specific rate.
Port shaping is configured at a port level using the following command:
• Passport-8610:5# config ethernet 7/29 shape ?
set shape or egress-rate-limit on ports, only apply to R-module
port
<kbps> = rate limit in kbps {1000..10000000}
<enable|disable> = operation {disable|enable}
Command syntax:
shape <kbps> [<enable|disable>]
For example, assuming we wish to shape port 7/29 to 10 Mbps, enter the following
command:
• Passport-8610:5# config ethernet 7/29 shape 10000 enable

6.5 Configuration Example – Deny ARP/MAC

Spoofing Attack in a Layer 2 Environment
MAC spoofing simply involves spoofing a known MAC address of another host to
make the target switch forward frames destined for the remote host to be
forwarded to the attackers host. By sending frames with the other host’s MAC
address, the attacker is telling the Layer 2 switch to forward traffic now to the
attacker’s port. To correct this, the host must send out frames to tell the switch to
relearn the most of the host MAC address. This type of attack is confined to the
switch itself within the MAC/CAM address table
The attacker can perform ARP spoofing so that it can use an IP address of an
attacked host and inform the remote systems to send traffic now to the attacker’s
MAC address. Gratuitous ARPs (gARP) can be used maliciously by an attacker to
spoof the IP address of a host on a LAN segment. It can be used to spoof the
identity between two hosts or all traffic from a default gateway in a Man-in-the-
middle attack.
VLAN 2
Bridged Ports Routed Port
(Default Gateway)
7/26
| 7/30
7/29
10.1.25.0 /24 .1
PP8600-A PP8600-B
Figure 14: Deny ARP/MAC Spoofing Attack

In this configuration example:
• PP8600A is configured with VLAN 2 with port members 7/26 to 7/30
• We will add an ACL to access ports 7/26 to 7/29 to prevent ARP/MAC
man-in-the-middle attack
Basically, an ACL has to be setup to perform the following on all access ports:
a. Allow ARP requests as long as the dst MAC is a broadcast address
b. Deny gARP with an ARP response using the default gateway address as
either the src IP or dst IP in a ARP response packet. This prevents an
Attacker from spoofing the victims IP address to the default gateway and
default gateways address to a victim
c. Allow ARP response as the last ACL action
To add an ACL to prevent an ARP/MAC man-in-the-middle attack, perform the
following steps. For this example, by default, a pre-defined ACT has already been
setup for ARP/MAC spoofing using ACT 4083. This can be verified by using the
‘show filter act’ or ‘show filter act 4083’ commands. To view the ACT pattern, use
the command ‘show filter act-pattern 4083’.
Note that the ACT pattern p1 and p2 uses a base pattern of ether-begin. Ether-
begin refer to the beginning of an Ethernet packet. Next, notice that p1 is
configured with an offset of 224 bits and an offset length of 32 bits. This offset

allows us to filter on the src IP in an ARP packet. Finally, notice that p2 is

configured with an offset of 224 bits and an offset length of 32 bits. This offset
pattern allows us to filter on the dst IP in and ARP packet.
6.5.1 Via CLI

A. Create ACL 1
1. Create ACL 1 with type of inPort using ACT id 4083
• Passport-8610:5# config filter acl 1 create inPort act 4083
2. Add Access ports to ACL 1
• Passport-8610:5# config filter acl 1 port add 7/26-7/29
B. Add ACE’s to ACL 1
1. Add ACE 1 with action of permit to allow ARP request’s with a broadcast
address as the dst MAC
• Passport-8610:5# config filter acl 1 ace 1 action permit
• Passport-8610:5# config filter acl 1 ace 1 ethernet dst-mac eq
ff:ff:ff:ff:ff:ff
• Passport-8610:5# config filter acl 1 ace 1 arp operation eq
arprequest
2. Add ACE 2 with action of deny to drop any ARP requests and enable
statistics
• Passport-8610:5# config filter acl 1 ace 2 action deny
arprequest
3. Add ACE 3 with action of deny to drop any ARP response with a source
address of the default gateway. Note the name p1; this is the ACT pattern
name as explained above and used for pattern 1. Also note that the IP
address is entered in Hex.
• Passport-8610:5# config filter acl 1 ace 3 advanced custom-filter1
p1 eq 0a011901
4. Add ACE 4 with action of deny to drop any ARP response with a
destination address of the default gateway. Note the name p2; this is the
ACT pattern name as explained above and used for pattern 2. Also note
that the IP address is entered in Hex.
p2 eq 0a011901
5. Add ACE 5 with action of permit to allow all other ARP responses.
• Passport-8610:5# config filter acl 1 ace 5 action permit


arpresponse
6.5.2 Via JDM

A. Create ACL 1
Create a new ACL with type of inPort using ACT ID 1
1. Go to Security, select Advanced L2-L7 Filter and then click on ACL. Click
on the OK button when prompted with the ‘NOTE: Filter configuration of R-
modules only’ icon. Unless you wish to change the GrId and Policy Name,
leave the default setting of 1 and POLICY-1 respectively.
2. Via the ACL tab, click on Insert. Unless you wish to change the ACL id,
leave the default setting which should default to 1 if this is the first ACL
configured. Next enter the following:
• ActId: 4083
• Type: inPort
• PortList: 7/26-7/29
• Click on Insert when finished.
B. Add ACE’s to ACL 1
1. Add ACE 1 with action of action of permit to allow ARP request’s with a
broadcast address as the dst MAC.
not enter a name, a default name of ACE-1 will be used. Hence, do not
enter anything in the AceId and Name windows. Next, enter the following:
• Mode: permit
Setup Ethernet dst address
Via the ACE Common tab, highlight AceId 1, click on Eth and click on
Destination Address tab. Click on Insert and enter the following:
• Oper: eq
• List: ff:ff:ff:ff:ff:ff
Setup ARP Request
Via the ACE Common tab, highlight AceId 1, click on Arp and click on
Insert tab. Click on Insert and enter the following:
• Type: operation
• Oper: eq
• Value: arpRequest
2. Add ACE 2 with action of deny to drop all other ARP request’s and enable
statistics

• Mode: deny
• Flags: Count
Select ARP Request

Via the ACE Common tab with ACE-2 selected, click on Arp. Click on
Insert and enter the following:
• Type: operation
• Oper: eq
• Value: arpRequest
• Mode: deny
• Flags: Count
Select ACT data pattern p1

Via the ACE Common tab with ACE-3 selected, click on Adv. Click on
Pattern 1 and then Insert and enter the following:
• Name: p1
• Oper: eq
• Value: 0a011901
• Mode: deny
• Flags: Count
Select ACT data pattern p2

Via the ACE Common tab with ACE-4 selected, click on Adv. Click on
Pattern 2 and then Insert and enter the following:
• Name: p2
• Oper: eq
• Value: 0a011901


5. Add ACE 5 with action of permit to allow all other ARP responses.
• Mode: permit
Select ARP Response

Via the ACE Common tab with ACE-5 selected, click on Arp. Click on
Insert and enter the following:
• Type: operation
• Oper: eq
• Value: arpResponse
C. Enable all ACE’s
AdminState tab.

6.6 Configuration Example – DoS Attacks

In this configuration example, we will use both offset and normal filters to deny
various DoS attacks. Although there are many DoS attacks, but for this example,
we will concentrate on the following:
• SQLslam
o The worm targeting SQL Server computers is self-propagating
malicious code that exploits the vulnerability described in VU#484891
(CAN-2002-0649). This vulnerability allows for the execution of
arbitrary code on the SQL Server computer due to a stack buffer
overflow. Once the worm compromises a machine, it will try to
propagate itself. The worm will craft packets of 376-bytes and send
them to randomly chosen IP addresses on port 1434/udp. If the packet
is sent to a vulnerable machine, this victim machine will become
infected and will also begin to propagate. Beyond the scanning activity
for new hosts, the current variant of this worm has no other payload.
Activity of this worm is readily identifiable on a network by the
presence of 376-byte UDP packets. These packets will appear to be
originating from seemingly random IP addresses and destined for port
1434/udp.
• Nachia
o The W32/Nachi variants W32/Nachi-A and W32/Nachi-B are worms
that spread using the RPC DCOM vulnerability in a similar fashion to
the W32/Blaster-A worm. Both rely upon two vulnerabilities in
Microsoft's software.
• Xmas
o This is a DoS attack that sends TCP packets with ALL TCP Flags set
in the same packet which is illegal.
• TCP SynFinScan
o This is a DoS attack that sends both a TCP SYN and FIN in the same
packet which is illegal.
• TCP FtpPort
o These are TCP packets with a source port of 20 (FTP) and a
destination port less than 1024 which is illegal. A legal FTP request
would have been initiated with a TCP port greater than 1024.
• TCP DnsPort
o Similar to TCP FtpPort above but for DNS port 53. Note that this is for
TCP DNS.
To configure the above, please follow the steps below. For this example, we will
assume the following:
• Use ACT 1 with two off-set patterns for SQLslam and Nachia
• Use ACL 4
• Apply the ACL 4 to VLAN 2.
6.6.1 Via CLI

A. Create a new ACT to filter on src-IP, dst-IP, IP Protocol Type, TCP src port,
TCP dst port, UDP dst port, and TCP Flags. Also add off-set pattern location.
2. Select IP attributes of source IP, destination IP, and IP protocol type

• Passport-8610:5# config filter act 1 ip srcIp,dstIp, ipProtoType
3. Select Protocol Attributes of TCP source port, TCP destination port, UDP
destination port, and TCP flags
tcpSrcPort,tcpDstPort,udpDstPort,tcpFlags
4. Add ACT pattern location for SQLslam. For this example, we will start at
the beginning of the IP TOS field. The pattern we wish to filter on begins
216 bits (27 bytes, data field) from the beginning of the IP TOS field where
the pattern length is 48 bits (6 bytes). We will name the pattern SQLslam.
This name will be applied to an ACE with the actual pattern latter on.
• Passport-8610:5# config filter act 1 pattern SQLslam add ip-tos-
begin 216 48
5. Add ACT pattern location for Nachia. For this example, we will start at the
beginning of the IP TOS field. The pattern we wish to filter on begins 224
bits (28 bytes) from the beginning of the IP TOS field where the pattern
length is 24 bits (3 bytes). This name will be applied to an ACE with the
actual pattern latter on.
• Passport-8610:5# config filter act 1 pattern Nachia add ip-tos-begin
224 24
6. Enable ACT 1
B. Create ACL 4
2. Add VLAN 2 to ACL 1:
• Passport-8610:5# config filter acl 4 add 2
C. Add ACE’s to ACL 4
1. Add ACE 1 with action of deny stop-on-match for SQLslam and enable
statistics. We will add the offset pattern of 040101010101 using ACT
pattern named SQLslam configured in Step A, bullet 4 above. Note that we
are adding the offset pattern to advanced custom filter 1. A maximum of up
to three offset patterns are allowed per ACL.
• Passport-8610:5# config filter acl 4 ace 1 create name "ACE-
SQLslam"
match true
udp
1434
SQLslam eq 040101010101
2. Add ACE 2 with action of deny stop-on-match for Nachia and enable
statistics. We will add the offset pattern of aaaaaa using ACT pattern

named Nachia configured in Step A, bullet 5 above. Note that we are

adding the offset pattern to advanced custom filter 2. A maximum of up to
three offset patterns are allowed per ACL.
Nachia"
match true
icmp
Nachia eq aaaaaa
3. Add ACE 3 with action of deny stop-on-match for Xmas and enable
statistics. We will filter of protocol type of TCP with TCP Flag set with
Synchronize, Push, and Urgent.
• Passport-8610:5# config filter acl 4 ace 3 create name "ACE-Xmas"
match true
• Passport-8610:5# config filter acl 4 ace 3 protocol tcp-flags match-
all fin,push,urg
4. Add ACE 4 with action of deny stop-on-match for TCP SynFinScan and
enable statistics. Here we will filter of protocol type of TCP with TCP Flag
set with Synchronize and Finish.
SynFinScan"
match true
all fin,syn
5. Add ACE 5 with action of deny stop-on-match for TCP FtpPort and enable
statistics. Here we will filter of protocol type of TCP with TCP Flag set with
Synchronize, TCP src port equals 20, and TCP dst port equal to or less
than 1024.
FtpPort"
match true
20
• Passport-8610:5# config filter acl 4 ace 5 protocol tcp-dst-port le
1024


all syn
6. Add ACE 6 with action of deny stop-on-match for TCP DnsPort and enable
statistics. Here we will filter of protocol type of TCP with TCP Flag set with
Synchronize, TCP src port equals 53, and TCP dst port equal to or less
than 1024.
DnsPort"
match true
53
• Passport-8610:5# config filter acl 4 ace 6 protocol tcp-dst-port le
1024
all syn
6.6.2 Via JDM

A. Create a new ACT to filter on src-IP, dst-IP, IP Protocol Type, TCP src port,
TCP dst port, UDP dst port, and TCP Flags. Also add off-set pattern location.
Create a new ACL with type of inport using ACT ID 1
1. Go to Security, select Advanced L2-L7 Filter and then click on ACL.
Click on the OK button when prompted with the ‘NOTE: Filter
configuration of R-modules only’ icon.
2. Via the ACT tab, click on Insert. Unless you wish to change the ACL id,
leave the default setting which should default to 1 if this is the first ACL
configured. Next enter the following:
• IpAttrs: srcIp, dstIp, ipProtoType
• ProtocolAttrs: tcpSrcPort, tcpDstPort, udpDstPort, tcpFlags
• Click on Insert when finished
3. Via the ACT tab, select ACT-1 and click on Pattern. Via the Pattern
window, click on Insert to add ACT pattern location for SQLslam. For
this example, we will start at the beginning of the IP TOS field. The
pattern we wish to filter on begins 216 bits (27 bytes, data field) from
the beginning of the IP TOS field where the pattern length is 48 bits (6
bytes). We will name the pattern SQLslam. This name will be applied
to an ACE with the actual pattern latter on. Enter the following:
• Name: SQLslam
• Base: ipTosBegin
• Offset: 216
• Length: 48
4. Via the Pattern window, click on Insert to add ACT pattern location for
Nachia. For this example, we will start at the beginning of the IP TOS
field. The pattern we wish to filter on begins 224 bits (28 bytes) from

the beginning of the IP TOS field where the pattern length is 24 bits (3
bytes). This name will be applied to an ACE with the actual pattern
latter on.
• Name: Nachia
• Base: ipTosBegin
• Offset: 224
• Length: 24
• Via the Pattern window, click on Close to go back to the main ACT
window
5. Enable ACT-1
Via the main ACT window, under the Apply tab for ACT-1, select true
then click on Apply.
B. Create ACL 4
Create a new ACL using ACL ID 4 with type of inVlan using ACT ID 1
1. Go to Security, select Advanced L2-L7 Filter and then click on ACL.
2. Via the ACL tab, click on Insert. Next enter the following:
• AclId: 4
• ActId: 1
• Type: inVlan
• VlanList: 2
• Click on Insert when finished.
C. Add ACE’s to ACL 4
1. Add ACE 1 with action of deny stop-on-match for SQLslam and enable
statistics. We will add the offset pattern of 040101010101 using ACT
pattern named SQLslam configured in Step A, bullet 3 above. Note that we
are adding the offset pattern to Pattern 1. A maximum of up to three offset
patterns are allowed per ACL.
Start by clicking on AclId 4 and then clicking on ACE via the ACL tab in the
ACL window. Next, click on Insert. The default AceId should be 1. Next,
• Name: ACE-SQLslam
• Mode: deny
• Flags: count
Setup IP Protocol type of UDP
Via the ACE Common tab, highlight AceId 4, click on IP and Protocol tab.
Click on Insert and enter the following:
• Oper: eq
• List: udp
• Click on Insert when completed and then close
Setup UDP destination port equals 1434
Via the ACE Common tab, highlight AceId 4, click on Proto and UDP
Destination Port tab. Click on Insert and enter the following:

• Oper: eq
• Port: 1434
• Click on Insert and then close when completed
Setup offset pattern equals 040101010101
Via the ACE Common tab, highlight AceId 4, click on Adv, and select
Pattern 1. Click on Insert and enter the following:
• Name: SQLslam
• Oper: eq
• Value: 040101010101
• Click on Insert and then close when completed
NOTE: The ACE name configured is the ACT pattern name configured
above.
2. Add ACE 2 with action of deny stop-on-match for Nachia and enable
statistics. We will add the offset pattern of aaaaaa using ACT pattern
named Nachia configured in Step A, bullet 4 above. Note that we are
adding the offset pattern to Pattern 2. A maximum of up to three offset
patterns are allowed per ACL.
Via the ACE Common window, click on Insert. The default AceId should be
2. Next, enter the following:
• Name: ACE-Nachia
• Mode: deny
• Flags: count
Setup IP Protocol type of ICMP
Via the ACE Common tab, highlight AceId 4 AceId 2, click on IP and
Protocol tab. Click on Insert and enter the following:
• Oper: eq
• List: icmp
Setup offset pattern 2 equals aaaaaa
Via the ACE Common tab, highlight AceId 4 AceId 2, click on Adv, and
select Pattern 2. Click on Insert and enter the following:
• Name: Nachia
• Oper: eq
• Value: aaaaaa
NOTE: The ACE name configured is the ACT pattern name configured
above.
3. Add ACE 3 with action of deny stop-on-match for Xmas and enable
statistics. We will filter on protocol type of TCP with TCP Flag set with
Synchronize, Push, and Urgent.
Via the ACE Common window, click on Insert. The default AceId should be
3. Next, enter the following:
• Name: ACE-Xmas

• Mode: deny
• Flags: count
Setup IP Protocol type of TCP
• Oper: eq
• List: tcp
Setup TCP Flags to select Push and URG
Via the ACE Common tab, highlight AceId 4 AceId 3, click on Proto, and
select TCP Flags. Click on Insert and enter the following:
• Oper: matchAll
• List: push,urg
4. Add ACE 4 with action of deny stop-on-match for TCP SynFinScan
and enable statistics. Here we will filter on protocol type of TCP with
TCP Flag set with Synchronize and Finish.
Via the ACE Common window, click on Insert. The default AceId
should be 4. Next, enter the following:
• Name: ACE-SynFinScan
• Mode: deny
• Flags: count
• Oper: eq
• List: tcp
Setup TCP Flags to select Push and URG
Via the ACE Common tab, highlight AceId 4 AceId 4, click on Proto,
and select TCP Flags. Click on Insert and enter the following:
• Oper: matchAll
• List: fin,syn
5. Add ACE 5 with action of deny stop-on-match for TCP FtpPort and
enable statistics. Here we will filter on protocol type of TCP with TCP
Flag set with Synchronize, TCP src port equals 20, and TCP dst port
equal to or less than 1024.
• Name: ACE-FtpPort

• Mode: deny
• Flags: count
• Oper: eq
• List: tcp
Setup TCP source and destination ports
and select TCP Source Port. Click on Insert and enter the following:
• Oper: eq
• List: 20
Con’t via the Proto tab, select TCP Destination Port. Click on Insert
and enter the following:
• Oper: eq
• List: 1024
Setup TCP Flags to select SYN
Con’t via the Proto tab, and select TCP Flags. Click on Insert and enter
the following:
• Oper: matchAll
• List: syn
6. Add ACE 6 with action of deny stop-on-match for TCP DnsPort and
enable statistics. Here we will filter on protocol type of TCP with TCP
Flag set with Synchronize, TCP src port equals 53, and TCP dst port
equal to or less than 1024.
• Name: ACE-DnsPort
• Mode: deny
• Flags: count
• Oper: eq
• List: tcp
Setup TCP source and destination ports

and select TCP Source Port. Click on Insert and enter the following:
• Oper: eq
• List: 53
Con’t via the Proto tab, select TCP Destination Port. Click on Insert
and enter the following:
• Oper: eq
• List: 1024
Setup TCP Flags to select SYN
Con’t via the Proto tab, and select TCP Flags. Click on Insert and enter
the following:
• Oper: matchAll
• List: syn
7. Enable all ACE’s
AdminState tab.

7. Appendix A – Configuration Files

7.1 From Example 6.1
#
# R-MODULE FILTER CONFIGURATION
#
filter act 1 create

filter act 1 ip srcIp,ipProtoType
filter act 1 protocol tcpSrcPort,tcpDstPort,udpDstPort
filter act 1 apply
filter acl 1 create inVlan act 1
filter acl 1 vlan add 200
filter acl 1 ace 1 action deny stop-on-match true
filter acl 1 ace 1 debug count enable
filter acl 1 ace 1 ip ip-protocol-type eq udp
filter acl 1 ace 1 protocol udp-dst-port eq tftp
filter acl 1 ace 1 enable
filter acl 1 ace 2 action permit remark-dscp phbcs2 stop-on-match true
filter acl 1 ace 2 ip src-ip eq 10.1.1.2-10.1.1.3
filter acl 1 ace 2 ip ip-protocol-type eq tcp
filter acl 1 ace 2 protocol tcp-src-port eq 80
filter acl 1 ace 4 action permit remark-dscp phbcs1 stop-on-match true
filter acl 1 ace 4 ip src-ip ge 0.0.0.0

#
# QOS CONFIGURATION
#
qos policy 1 create peak-rate 2000 svc-rate 1000 lanes 7/3 name "POLICY-1"
#
# VLAN CONFIGURATION
#
vlan 1 ports remove 4/1-4/30,7/1-7/30 member portmember

vlan 2 create byport 1 color 1
vlan 2 ports remove 4/1-4/30,7/1-7/28 member portmember
vlan 2 ports add 7/29-7/30 member portmember
#
#
filter act 1 create

filter act 1 protocol tcpDstPort,udpDstPort
filter act 1 apply
filter acl 1 ace 1 create name "UDP_Range"
filter acl 1 ace 1 action permit remark-dscp phbaf41
filter acl 1 ace 1 protocol udp-dst-port eq 1124-1784


filter acl 1 ace 2 create name "Police_1"
filter acl 1 ace 2 action permit remark-dscp phbaf11 police 1
filter acl 1 ace 2 protocol tcp-dst-port eq 20-21

#
# QOS CONFIGURATION
#
qos egress-queue-set 2 queue 0 set min-rate 40

qos egress-queue-set 2 queue 62 set max-rate 10
qos egress-queue-set 2 apply

#
#
filter acl 1 create inPort act 4083

filter acl 1 port add 7/26-7/29
filter acl 1 ace 1 action permit
filter acl 1 ace 1 ethernet dst-mac eq ff:ff:ff:ff:ff:ff
filter acl 1 ace 1 arp operation eq arprequest
filter acl 1 ace 2 action deny
filter acl 1 ace 2 arp operation eq arprequest
filter acl 1 ace 3 advanced custom-filter1 p1 eq 0a011901
filter acl 1 ace 4 advanced custom-filter2 p2 eq 0a011901
filter acl 1 ace 5 action permit
filter acl 1 ace 5 arp operation eq arpresponse

#
#
filter act 1 create

filter act 1 ip srcIp,dstIp,ipProtoType
filter act 1 protocol tcpSrcPort,tcpDstPort,udpDstPort,tcpFlags
filter act 1 pattern SQLslam add ip-tos-begin 216 48
filter act 1 pattern Nachia add ip-tos-begin 224 24
filter act 1 apply
filter acl 4 ace 1 create name "ACE-SQLslam"


filter acl 4 ace 1 ip ip-protocol-type eq udp
filter acl 4 ace 1 protocol udp-dst-port eq 1434
filter acl 4 ace 1 advanced custom-filter1 SQLslam eq 040101010101
filter acl 4 ace 2 create name "ACE-Nachia"
filter acl 4 ace 2 ip ip-protocol-type eq icmp
filter acl 4 ace 2 advanced custom-filter2 Nachia eq aaaaaa
filter acl 4 ace 3 create name "ACE-Xmas"
filter acl 4 ace 3 protocol tcp-flags match-all push,urg
filter acl 4 ace 4 create name "ACE-SynFinScan"
filter acl 4 ace 4 protocol tcp-flags match-all fin,syn
filter acl 4 ace 5 create name "ACE-FtpPort"
filter acl 4 ace 5 protocol tcp-dst-port le 1024
filter acl 4 ace 5 protocol tcp-flags match-all syn
filter acl 4 ace 6 create name "ACE-DnsPort"
filter acl 4 ace 6 protocol tcp-dst-port le 1024
filter acl 4 ace 6 protocol tcp-flags match-all syn

8. Appendix B – Pre-Defined ACT List

Passport-8610:5# show filter act
================================================================================
ACT Table (Part I)
================================================================================
Id ActName Ethernet Ip Protocol Arp
--------------------------------------------------------------------------------
4082 IP Media filters ACT none dscp tcpSrcPort none
udpSrcPort
tcpDstPort
udpDstPort
4083 Arp-Spoof_Layer_2 ACT dstMac none none operation
4084 Mac Src/Dst & ARP ACT srcMac none none operation
dstMac
4085 Mac Src/Dst & IP ACT srcMac srcIp none none

dstMac dstIp
4086 IP Options ACT none srcIp none none

dstIp
ipOptions
4087 IP Fragmentation ACT none srcIp none none

dstIp
ipFragFlag
4088 DSCP ACT none srcIp none none

dstIp
dscp
4089 UDP ACT none srcIp udpSrcPort none

dstIp udpDstPort
4090 TCP ACT none srcIp tcpSrcPort none

dstIp tcpDstPort
tcpFlags
4091 IP Sa/Da, Protocol ACT none srcIp none none

dstIp
ipProtoType
4092 IP Sa & Da ACT none srcIp none none

dstIp
4093 Arp ACT none none none operation
4094 Mac Src-Dst,Ether ACT srcMac none none none

dstMac
etherType
4095 Mac Src-Dst,Ether,Dot1p ACT srcMac none none none

dstMac
etherType
vlanTagPrio
4096 IP Ping-Snoop ACT none srcIp icmpMsgType none

dstIp

9. Appendix C – QoS Details

9.1 Ethernet 802.1Q Tag in Ethernet Header
• 802.1p User Priorities (8 traffic • VLAN ID used to group users with

classes) similar requirements
• Map 802.1p to queues • Filter on VLAN ID
• DSCP mapped to/from 802.1p User • Filter on MAC address range

Priorities
Figure 15: 802.1Q Ethernet Header

9.2 DiffServ: QoS at Layer 3
IP Header
6 Bytes 6 Bytes 4 Bytes 2 Bytes 64-1500 Bytes
Dest Source 802.1q Protocol Data

MAC MAC Tag Type
Differentiated Services Field (DS)
Version Length TOS Total Length More IP Header

4 bits 4 bits 8 bits 16 bits
0 1 2 3 4 5 6 7
Codepoint Space USE
DSCP CU XXXXX0 Defined Code Points
XXXX11 Experimental or Local use
Future Defined Code Points
1 0 1 1 1 0 CU XXXX01
• DSCP Marking
— Differentiated Services Codepoint, six bits of the DS field are used to select the PHB
that packet experiences at each node ⇒ 64 possible code points
Drop Precedence Class 1 Class 2 Class 3 Class 4
Low 001010 010010 011010 100010
Medium 001100 010100 011100 100100
High 001110 010110 011110 100110
Figure 16: DiffServ Code Point
9.3 ERS 8600 DSCP ToS/IP Mapping

Table 10: PP8600 DSCP ToS/IP Mapping
DSCP TOS IP Binary NNSC PHB
Precedence
0x0 0x0 0 000000 00 Standard CS0
0x0 0x0 - 000000 00 DE
0x8 0x20 1 001000 00 Bronze CS1
0xA 0x28 - 001010 00 AF11
0x10 0x40 2 010000 00 Silver CS2
0x12 0x48 - 010010 00 AF21
0x18 0x60 3 011000 00 Gold CS3
0x1A 0x68 - 011010 00 AF31
0x20 0x80 4 100000 00 Platinum CS4
0x22 0x88 - 100010 00 AF41
0x28 0xA0 5 101000 00 Premium CS5
0x2E 0xB8 - 101110 00 EF
0x30 0xC0 6 110000 00 Network CS6
0x38 0xE0 7 111000 00 Critical CS7
DSCP and TOS are in HEX
IP Precedence in decimal
NNSC: Nortel Networks Service Class PHB: Per Hop Behavior

10. Appendix D – Hardware Overview

256 256
Power 256
DRA Power 256
256 DRA 256
333
Power DRA 333 DRA
DRA Power DRA
SuperMezz
333 SuperMezz
333
Power PC Power PC
1GHz 1GHz
Syste Syste
Switch Fabric m Switch Fabric m
Slot Slot
FSWI TAPMU FSWI TAPMU
FFA FFA FFA FFA FFA FFA FFA FFA
I/0 Service Module

FTAPMUX
10GIG
10GIG 10GIG
10GIG
Feedback 10GIG 10GIG
Output
Queuing
CO
CLUE Processor
Lookup
Table
F2E F2I F2E F2I F2E F2I
RSP RS RS RS RS RS
RS RS RS RS RS RS
Full Duplex
10 GIG LANE IOM
PIM
INTERFACE INTERFACE INTERFACE
PORT(S) PORT(S) PORT(S)
10x1GIG , 1x10GIG 10x1GIG , 1x10GIG 10x1GIG , 1x10GIG
• Redundant and load-sharing CPU/Switch Fabrics for up to 512 GIG of switching

throughput (380Mpps)
• Up to 3 CPUs per Control Plane
• I/O blades with ingress and egress Route-Switch-Processors per 10GIG lane for
line speed ingress/egress packet manipulation (filtering, bridging, routing, MPLS)
• CLUE radix lookup table
• FOQ for enhanced Queue management

11. Software Baseline:

The software level of ERS 8600 used for this document is based on release 4.0.
12. Reference Documentation:
Document Title Publication Description

Number
Configuring QoS and Filtering 318637-A Rev Technical Publication
for Passport 8600 R Modules 00
Contact Us:
For product support and sales information, visit the Nortel Networks website at:
http://www.nortel.com
In North America, dial 1-800-4Nortel, outside North America dial 987-288-3700.

Filter&Qo S

Uploaded by

Copyright:

Available Formats

Filter&Qo S

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Filter&Qo S

Uploaded by

Copyright:

Available Formats

Product Name Ethernet Routing Switch

Product Number 8600 R-Series

> Technical Configuration Guide

Enterprise Network Engineering

Copyright © 2005 Nortel Networks

Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporate.

All other Trademarks are the property of their respective owners.

Nortel Networks External Distribution 1

Nortel Networks External Distribution 2

11. SOFTWARE BASELINE:...................................................................................................... 88

Nortel Networks External Distribution 3

1. Overview: R-Module Filter

Ingress Ingress Egress

Figure 1: ACT, ACL, and ACE Relationship

Nortel Networks External Distribution 4

1.1 Access Control Templates (ACT)

1.1.1 ACT Attributes

Nortel Networks External Distribution 5

1.1.2 ACT Attributes for Off-Set Filtering

Nortel Networks External Distribution 6

1.2 Access Control Entry (ACE)

Nortel Networks External Distribution 7

1.2.1 ACE Actions

1.2.2 Priority of ACEs

We apply the actions of only ACE 1.

We apply the actions of only ACE 1

We apply the actions of ACE 1 and ACE 4

Nortel Networks External Distribution 8

The actions of ACE1 and ACE3 are applied

Nortel Networks External Distribution 9

1.3 Access Control Lists (ACL)

1.3.1 Priority of ACLs

We apply the actions of Port ACL only.

The actions of port ACL are only applied.

Nortel Networks External Distribution 10

2.1 ACT – Access Control Templates

Nortel Networks External Distribution 11

Nortel Networks External Distribution 12

Nortel Networks External Distribution 13

Nortel Networks External Distribution 14

Click here to select ACT 10

Click here to select ports

Click here if you wish to

Click here when finished

Nortel Networks External Distribution 15

2.3 ACE – Access Control Entry

action <mode> [mlt-index <value>] [remark-dscp <value>]

• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000>

dst-mac <ace-op> <dst-mac-list>

operation <ace-op> <arp-oper-type>

• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000> ip ?

dscp <ace-op> <dscp-list>

Nortel Networks External Distribution 16

• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000>

• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000>

• Passport-8610:5# config filter acl <acl-id 1-4096> ace <ace-id 1-1000>

remark-dot1p <value> = new dot1 priority for matching packets {0..8} or

police <value> = value-id of the template policer {0..16383}

egress-queue <value> = offset from the base queue number {0..64}