Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Access Control IPv6-Based ACLs 483 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 24 -DSCP to Match—Differentiated Ser ves Code Point (DSCP) to match - IP Precedence to match—IP precedence is a model of TOS (type of service) that the network uses to help provide the appropriate QoS commitments. This model uses the 3 most significant bits of the service type byte in the IP header, as described in RFC 791 and RFC 1349. •ICMP—If the IP protocol of the ACL is ICMP, select the ICMP message type used for filtering purposes. Either select the message type by name or enter the message type number: -Any—All message types are accepted. -Select from list—Select message type by name. -ICMP Type to Match—Number of message type to be used for filtering purposes. •ICMP Code—The ICMP messages can have a code field that indicates how to handle the message. Select one of the following options to configure whether to filter on this code: -Any—Accept all codes. -User Defined—Enter an ICMP code for filtering purposes. •IGMP—If the ACL is based on IGMP, select the IGMP message type to be used for filtering purposes. Either select the message type by name or enter the message type number: -Any—All message types are accepted. -Select from list—Select message type by name. -IGMP Type to match—Number of message type that is to be used for filtering purposes. STEP 5Click Apply. The IPv4-based ACE is saved to the Running Configuration file. IPv6-Based ACLs The IPv6-Based ACL page displays and enables the creation of IPv6 ACLs, which check pure IPv6-based traffic. IPv6 ACLs do not check IPv6-over-IPv4 or ARP packets.
Access Control IPv6-Based ACLs Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 484 24 NOTEACLs are also used as the building elements of flow definitions for per-flow QoS handling (see QoS Advanced Mode). Defining an IPv6-based ACL To define an IPv6-based ACL: STEP 1Click Access Control > IPv6-Based ACL. This window contains the list of defined ACLs and their contents STEP 2Click Add. STEP 3Enter the name of a new ACL in the ACL Name field. The names are case-sensitive. STEP 4Click Apply. The IPv6-based ACL is saved to the Running Configuration file. Adding Rules (ACEs) for an IPv6-Based ACL NOTEEach IPv6-based rule consumes two TCAM rules. STEP 1Click Access Control > IPv6-Based ACE. This window contains the ACE (rules) for a specified ACL (group of rules). STEP 2Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed. STEP 3Click Add. STEP 4Enter the parameters. •ACL Name—Displays the name of the ACL to which an ACE is being added. •Priority—Enter the priority. ACEs with higher priority are processed first. •Action—Select the action assigned to the packet matching the ACE. The options are as follows: -Permit—Forward packets that meet the ACE criteria. -Deny—Drop packets that meet the ACE criteria. -Shutdown—Drop packets that meet the ACE criteria, and disable the port to which the packets were addressed. Ports are reactivated from the Port Management page.
Access Control IPv6-Based ACLs 485 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 24 •Time Range—Select to enable limiting the use of the ACL to a specific time range. •Time Range Name—If Time Range is selected, select the time range to be used. Time ranges are described in the Time Range section. •Protocol—Select to create an ACE based on a specific protocol. Select Any (IPv6) to accept all IP protocols. Otherwise select one of the following protocols: -TCP—Transmission Control Protocol. Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery, and guarantees that packets are transmitted and received in the order they were sent. -UDP—User Datagram Protocol. Transmits packets but does not guarantee their delivery. -ICMP—Matches packets to the Internet Control Message Protocol (ICMP). •Protocol ID to Match—Enter the ID of the protocol to be matched. •Source IP Address—Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses. •Source IP Address Value—Enter the IP address to which the source IP address is to be matched and its mask (if relevant). •Source IP Prefix Length—Enter the prefix length of the source IP address. •Destination IP Address—Select Any if all destination address are acceptable or User defined to enter a destination address or a range of destination addresses. •Destination IP Address Value—Enter the IP address to which the destination MAC address is matched and its mask (if relevant). •Destination IP Prefix Length—Enter the prefix length of the IP address. •Source Port—Select one of the following: -Any—Match to all source ports. -Single—Enter a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the IP Protocol drop-down menu.
Access Control IPv6-Based ACLs Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 486 24 -Range—Select a range of TCP/UDP source ports to which the packet is matched. •Destination Port—Select one of the available values. (They are the same as for the Source Port field described above). NOTEYou must specify the IPv6 protocol for the ACL before you can configure the source and/or destination port. •TCP Flags—Select one or more TCP flags with which to filter packets. Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security. -Set—Match if the flag is SET. -Unset—Match if the flag is Not SET. -Dont care—Ignore the TCP flag. •Type of Service—The service type of the IP packet. •ICMP—If the ACL is based on ICMP, select the ICMP message type that is used for filtering purposes. Either select the message type by name or enter the message type number. If all message types are accepted, select Any. -Any—All message types are accepted. -Select from list—Select message type by name from the drop-down list. -ICMP Type to Match—Number of message type that is to be used for filtering purposes. •ICMP Code—The ICMP messages may have a code field that indicates how to handle the message. Select one of the following options, to configure whether to filter on this code: -Any—Accept all codes. -User Defined—Enter an ICMP code for filtering purposes. STEP 5Click Apply.
Access Control Defining ACL Binding 487 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 24 Defining ACL Binding When an ACL is bound to an interface (port, LAG or VLAN), its ACE rules are applied to packets arriving at that interface. Packets that do not match any of the ACEs in the ACL are matched to a default rule, whose action is to drop unmatched packets. Although each interface can be bound to only one ACL, multiple interfaces can be bound to the same ACL by grouping them into a policy-map, and binding that policy-map to the interface. After an ACL is bound to an inter face, it cannot be edited, modified, or deleted until it is removed from all the ports to which it is bound or in use. NOTEIt is possible to bind an interface (port, LAG or VLAN) to a policy or to an ACL, but they cannot be bound to both a policy and an ACL. To bind an ACL to a port or LAG: STEP 1Click Access Control > ACL Binding (Port). STEP 2Select an interface type Ports/LAGs (Port or LAG). STEP 3Click Go. For each type of interface selected, all interfaces of that type are displayed with a list of their current ACLs: •Interface—Identifier of interface. •MAC ACL—ACLs of type MAC that are bound to the interface (if any). •IPv4 ACL—ACLs of type IPv4 that are bound to the interface (if any). •IPv6 ACL—ACLs of type IPv6 that are bound to the interface (if any). NOTETo unbind all ACLs from an interface, select the interface, and click Clear. STEP 4Select an interface, and click Edit. STEP 5Select one of the following: •Select MAC Based ACL—Select a MAC-based ACL to be bound to the interface. •Select IPv4 Based ACL—Select an IPv4-based ACL to be bound to the interface. •Select IPv6 Based ACL—Select an IPv6-based ACL to be bound to the interface.
Access Control Defining ACL Binding Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 488 24 •Default Action—Select one of the following options: -Deny Any—If packet does not match an ACL, it is denied (dropped). -Permit Any—If packet does not match an ACL, it is permitted (forwarded). NOTEDefault Action can be defined only if IP Source Guard is not activated on the interface. STEP 6Click Apply. The ACL binding is modified, and the Running Configuration file is updated. NOTEIf no ACL is selected, the ACL(s) that is previously bound to the interface are unbound. To bind an ACL to a VLAN: STEP 1Click Access Control > ACL Binding ( VL AN). STEP 2Select a VLAN and click Edit. If the VLAN you require is not displayed, add a new one. STEP 3Select one of the following: •Select MAC Based ACL—Select a MAC-based ACL to be bound to the interface. •Select IPv4 Based ACL—Select an IPv4-based ACL to be bound to the interface. •Select IPv6 Based ACL—Select an IPv6-based ACL to be bound to the interface. •Default Action—Select one of the following options: -Deny Any—If packet does not match an ACL, it is denied (dropped). -Permit Any—If packet does not match an ACL, it is permitted (forwarded). NOTEDefault Action can be defined only if IP Source Guard is not activated on the interface. STEP 4Click Apply. The ACL binding is modified, and the Running Configuration file is updated. NOTEIf no ACL is selected, the ACL(s) that is previously bound to the VLAN are unbound.
25 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 489 Quality of Service The Quality of Service feature is applied throughout the network to ensure that network traffic is prioritized according to required criteria and the desired traffic receives preferential treatment. This section covers the following topics: •QoS Features and Components •Configuring QoS - General •QoS Basic Mode •QoS Advanced Mode •Managing QoS Statistics
Quality of Service QoS Features and Components Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 490 25 QoS Features and Components The QoS feature is used to optimize network performance. QoS provides the following: •Classification of incoming traffic to traffic classes, based on attributes, including: -Device Configuration -Ingress interface -Packet content -Combination of these attributes QoS includes the following: •Traffic Classification—Classifies each incoming packet as belonging to a specific traffic flow, based on the packet contents and/or the port. The classification is done by ACL (Access Control List), and only traffic that meets the ACL criteria is subject to CoS or QoS classification. •Assignment to Hardware Queues—Assigns incoming packets to forwarding queues. Packets are sent to a particular queue for handling as a function of the traffic class to which they belong. See Configuring QoS Queues. •Other Traffic Class-Handling Attribute—Applies QoS mechanisms to various classes, including bandwidth management. QoS Operation The type of header field to be trusted is entered in the Global Settings page. For every value of that field, an egress queue is assigned, indicating through which queue the frame is sent, in the CoS/802.1p to Queue page or the DSCP to Queue page (depending on whether the trust mode is CoS/802.1p or DSCP, respectively).
Quality of Service QoS Features and Components 491 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 25 QoS Modes The QoS mode that is selected applies to all interfaces in the system. •Basic Mode—Class of Service (CoS). All traffic of the same class receives the same treatment, which is the single QoS action of determining the egress queue on the egress port, based on the indicated QoS value in the incoming frame. This can be the VLAN Priority Tag (VPT) 802.1p value in Layer 2 and the Differentiated Service Code Point (DSCP) value for IPv4 or Traffic Class (TC) value for IPv6 in Layer 3. When operating in Basic Mode, the device trusts this external assigned QoS value. The external assigned QoS value of a packet determines its traffic class and QoS. The header field to be trusted is entered in the Global Settings page. For every value of that field, an egress queue is assigned where the frame is sent in the CoS/802.1p to Queue page or the DSCP to Queue page (depending on whether the trust mode is CoS/802.1p or DSCP, respectively). •Advanced Mode—Per-flow Quality of Service (QoS). In advanced mode, a per flow QoS consists of a class map and/or a policer: -A class map defines the kind of traffic in a flow, and contains one or more ACLs. Packets that match the ACLs belong to the flow. -A policer applies the configured QoS to a flow. The QoS configuration of a flow may consist of egress queue, the DSCP or CoS/802.1p value, and actions on out of profile (excess) traffic. •Disable Mode—In this mode all traffic is mapped to a single best effort queue, so that no type of traffic is prioritized over another. Only a single mode can be active at a time. When the system is configured to work in QoS Advanced mode, settings for QoS Basic mode are not active and vice versa. When the mode is changed, the following occurs: •When changing from QoS Advanced mode to any other mode, policy profile definitions and class maps are deleted. ACLs bonded directly to interfaces remain bonded. •When changing from QoS Basic mode to Advanced mode, the QoS Trust mode configuration in Basic mode is not retained.
Quality of Service QoS Features and Components Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 492 25 •When disabling QoS, the shaper and queue setting (WRR/SP bandwidth setting) are reset to default values. All other user configurations remain intact. QoS Workflow To configure general QoS parameters, perform the following: STEP 1Choose the QoS mode (Basic, Advanced, or Disabled, as described in the “QoS Modes” section) for the system by using the QoS Properties page. The following steps in the workflow, assume that you have chosen to enable QoS. STEP 2Assign each interface a default CoS priority by using the QoS Properties page. STEP 3Assign the schedule method (Strict Priority or WRR) and bandwidth allocation for WRR to the egress queues by using the Queue page. STEP 4Designate an egress queue to each IP DSCP/TC value with the DSCP to Queue page. If the device is in DSCP trusted mode, incoming packets are put into the egress queues based on the their DSCP/TC value. STEP 5Designate an egress queue to each CoS/802.1p priority. If the device is in CoS/ 802.1 trusted mode, all incoming packets are put into the designated egress queues according to the CoS/802.1p priority in the packets. This is done by using the CoS/802.1p to Queue page. STEP 6If required for Layer 3 traffic only, assign a queue to each DSCP/TC value, by using the DSCP to Queue page. STEP 7Enter bandwidth and rate limits in the following pages: a. Set egress shaping per queue by using the Egress Shaping Per Queue page. b. Set ingress rate limit and egress shaping rate per port by using the Bandwidth page. STEP 8Configure the selected mode by performing one of the following: a. Configure Basic mode, as described in Work flow to Configure Basic QoS Mode b. Configure Advanced mode, as described in Workflow to Configure Advanced QoS Mode.