There have been a few recent comments on the blog and a few questions on the discussion forum around how ACLs (traffic filters) work on the Ethernet Routing Switch 5520. I thought I would take a few minutes to dive into the subject and perhaps either answer some of those questions or foster some additional discussion. Let me get right to the most popular question.
Is the Ethernet Routing Switch 5510/5520/5530 capable of performing basic IP filtering? Yes.
Prior to software release 5.0 you had to-do all filtering in QoS policies. It seems a lot of confusion comes from the fact that in order to perform IP filtering similar to an ACL in a Cisco router you had to create a QoS policy. With the release of 5.0 software you can now create fairly straight forward ACLs. You can only do this from the CLI or WEB interface, there’s no support for ACLs in Java Device Manager.
Let me walk you through a simple example.
I started with a ERS-5520-PwR and factory reset the switch I gave it a management IP address of 192.168.1.50 (VLAN 1);
5520-48T-PWR(config)#ip address switch 192.168.1.50 5520-48T-PWR(config)#ip default-gateway 192.168.1.1 5520-48T-PWR(config)#ip address netmask 255.255.255.0
I created VLAN 100 and moved ports 13-48 to VLAN 100 making sure to set the PVID;
5520-48T-PWR(config)#vlan members remove 1 13-48 5520-48T-PWR(config)#vlan create 100 type port 5520-48T-PWR(config)#vlan members add 100 14-48 5520-48T-PWR(config)#vlan ports 13-48 pvid 100
I enabled IP routing on the switch (remember out of the box it’s just a Layer 2 switch);
5520-48T-PWR(config)#ip routing
I enabled IP routing for VLAN 1 and then gave VLAN 100 an IP address/interface;
5520-48T-PWR(config)#interface vlan 1 5520-48T-PWR(config-if)#ip routing 5520-48T-PWR(config)#exit 5520-48T-PWR(config)#interface vlan 100 5520-48T-PWR(config-if)#ip address 192.168.100.1 255.255.255.0 2 5520-48T-PWR(config-if)#ip routing 5520-48T-PWR(config)#exit
Let’s just making sure that everything looks right before we get the real meat of this post;
5520-48T-PWR#show vlan ip ============================================================================== Vid ifIndex Address Mask MacAddress Offset Routing ============================================================================== Primary Interfaces ------------------------------------------------------------------------------ 1 10001 192.168.1.50 255.255.255.0 00:1F:0A:CE:XX:40 1 Enabled 100 10100 192.168.100.1 255.255.255.0 00:1F:0A:CE:XX:41 2 Enabled ------------------------------------------------------------------------------ % Total of Primary Interfaces: 2
The two IP interfaces are configured properly and have routing enabled. Let’s make sure that the routing table is correct;
5520-48T-PWR#show ip route
===============================================================================
Ip Route
===============================================================================
DST MASK NEXT COST VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0 0.0.0.0 192.168.1.1 10 1 1 S IB 5
192.168.1.0 255.255.255.0 192.168.1.50 1 1 ---- C DB 0
192.168.100.0 255.255.255.0 192.168.100.1 1 100 ---- C DB 0
Total Routes: 3
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HW
Here’s where the real work starts. I created an ACL named “testacl” and then assigned it to port 23.
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80 5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable 5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl
In the statements above I created an ACL that will allow traffic sourced from 192.168.100.0/24 to a destination TCP port of 80 to pass unrestricted while blocking (dropping) all other traffic. I’ve assigned that ACL to port 23 where I have a test PC connected to the switch.
Let’s just pretend that you forgot to allow DNS (UDP/53) queries in your IP filter so let’s back out the ACL and recreate it.
First we need to determine the ACL number that was assigned to our ACL called “testacl”. We can do that by issuing the following command;
5520-48T-PWR#show qos acl Id Name State ACL Unit/Port Storage Type Type _____ ____________________________ ________ ____ _________ ________ 1 testacl Enabled IP 1/23 NonVol
We also need to know how many rules are in the IP ACL that’s being referenced above. We can do that with the following command;
5520-48T-PWR#show qos ip-acl Id: 1 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: TCP Destination L4 Port Min: 80 Destination L4 Port Max: 80 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 2 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: Ignore DSCP: Ignore IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: Yes Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile
Now we can remove the ACL from port 23 and then delete it from the switch;
5520-48T-PWR(config)#no qos acl-assign 1 5520-48T-PWR(config)#no qos ip-acl 2 5520-48T-PWR(config)#no qos ip-acl 1
Now we’ll rebuild the ACL allowing DNS queries to the broadband router;
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80 5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 dst-ip 192.168.1.1/32 protocol 17 dst-port-min 53 dst-port-max 53 5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable 5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl
Now that we have our filter let’s see what it looks like (I’m not a fan of this output format);
5520-48T-PWR#show qos ip-acl Id: 1 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: TCP Destination L4 Port Min: 80 Destination L4 Port Max: 80 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 2 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: 192.168.1.1/32 Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: UDP Destination L4 Port Min: 53 Destination L4 Port Max: 53 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 3 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: Ignore DSCP: Ignore IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: Yes Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile
That’s a basic ACL filter using Layer 3 parameters. There is a Technical Configuration Guide available from Nortel/Avaya that provides additional examples and covers Filtering and QoS configuration of the Ethernet Routing Switch 5500 series switches. The guide is a little dated by still a very useful resource in my opinion.
Cheers!
I’ve been hearing people pronounce ACL like ackle. My inner Beavis and Butthead made me laugh at the name you chose for your test ACL: testacl. Sorry!
Keep up the great work! Your website is a great resource.
That was pretty good Rich… gave me a good laugh!
Interesting post, smart that Nortel/Avaya are making it easier for Cisco folk to configure their switches. The thing that bothers me most about the 5500 filters is the port range limitation, from PDF: “Range support is limited to a certain extent, however, because ranges are represented as a bitmask within the overall classification mask, and not with explicit minimum and maximum values”
Hi Nug,
I can’t argue with you there… I must have read that page/section at least two or three times. What I would give for the classic IP filters of the BayRS BCN/BLN/ASN/ARN routers… those were straight forward, easy to write and worked like a charm.
Thanks for the comment!
Does IP routing have to be enabled in order for theses to work?
Hi Craig,
I don’t believe IP routing/forwarding needs to be enabled to utilize the ACL feature, actually I’m pretty sure it should work regardless of whether the switch is acting as a Layer 2 device or Layer 3 device.
Cheers!
Hi,
I have some problem with ACL on ERS55xx stack of two switches, ERS5530 and ERS5698, software version 6.1.
I have created interface group (with only one interface) and associated it with specific policy rule, but now I can not add more interfaces to this group, only one port can be assigned to the group. There is an error message saying: insufficient hardware resources to support role association.
Any idea where could be the problem? Interfaces belongs to ERS5698 switch.
regards,
Martina
Hi Martina,
There is a limit to the number of filters you can apply since they are performed in hardware and not software… the limit includes some of the built-in features such as DHCP snooping, ARP inspection, IP source guard, etc. I believe there is a command in the CLI interface that will show you how many remaining filters (resources) you can construct although I don’t recall the command at this minute.
I believe that’s probably part of your problem.
Good Luck!
Hi,
it can be defined max 256 filters per interface, I have 93 filters.
Could be something else?
Regards
Hi Martina,
The error message suggests that you are over extending the available resources.
Here’s a blurb from page 10 of the Technical Configuration Guide above;
“Classification with the Ethernet Routing Switch 5500 has some fundamental classification limitations, imposed by hardware, that affect classification overall. The foremost limitation is related to the concept, introduced by the latest classification hardware and the supporting data model, of “classification masks”. A classification mask specifies the fields within a frame that will be used for matching purposes. The mask itself does not specify the data to be matched but rather indicates which fields, or portions thereof, in the various protocol headers (e.g., MAC, IPv4, IPv6 headers) will be examined during the classification process. Currently, a maximum of 15 classification masks and 114 classifiers are available per port for user-defined traffic classification. This effectively means that 15 or fewer unique combinations of classification criteria (i.e., Layer 2, 3 and 4 data) can be specified per port. However, multiple data sets can leverage the same classification mask. This means that, as long as the same protocol data fields are being matched (e.g., IPv4 source address, IPv6 flow label, Layer 2 802.1p User Priority and VLAN Id), a much larger number of classifiers, up to a maximum of 114 per port, can be defined containing unique data values for matching against the fields/offsets identified by the classification mask.”
I’m sure the ERS 5600 series switches might have more “hardware” than the original ERS 5500 series switches but the error message suggests that’s where you should focus your attention.
You can try posting in the discussion forums, perhaps someone else will have a better answer.
Good Luck!
Hello
When i have applied ACL on ports that is in same VLAN, acl works fine but nodes in that vlan stops communicating.
Hi jitendra,
I’m not quite sure I understand… how is the ACL working fine if it’s disrupting communications to/from noes in that VLAN?
Good Luck!
Hi,
I am having trouble with ACL’s on the ERS 5000 series switches. I have the following configuration:
qos ip-acl name test src-ip 10.0.0.5/32 dst-ip 10.0.0.100/32 protocol 6 dst-port-min 22 dst-port-max 22 drop action disable
qos ip-acl name test src-ip 10.0.0.5/32 dst-ip 10.0.0.100/32 protocol 17 dst-port-min 161 dst-port-max 161 drop action disable
qos ip-acl name test dst-ip 10.0.0.100/32 drop-action enable
qos ip-acl name test drop-action disable
The above is applied to several ports.
The access list is supposed to allow SSH and SNMP to the switch from a specified range (rules one and two) block any other access to the switch (rule three) and allow any other device to communicate with anything (rule four).
Rules 1-3 seem to work; I can SSH and SNMP to the switch from the specified IP range with no problems, ICMP and telnet are blocked.
I can then contact some devices on the subnet (.20) but not others (.201 and .202)
I have also tried applying rule four using 0.0.0.0/0 as the src and dst but this gives the same result.
Any help would be greatly appreciated
Thanks,
Rhys.
Hi Rhys,
I believe the drop needs to be the last statement in your ACL. If you want to allow other traffic through the filter you need to create a rule in the ACL before your last statement allow that specific traffic.
Cheers!
Hi Michael,
I’m an ex-Nortel-er – your site is great. I am having some issues configuring my ERS 5520 – I’m trying to create a DMZ and need to create an ACL/filter to block hosts on the DMZ segment from contacting the ‘secure’ segment. The NT documentation seems to indicate that I should be able to create an ip-element filtering on TCP flags (e.g. just ‘SYN’) but when I go to do this on my switch, the tcp-control option isn’t there. Any suggestions? I keep reading the documentation but don’t find anything. Could I just create a system element with the byte pattern I’m looking for?
Best regards,
Tim
Hi Tim,
You’re probably not running the latest and greatest software release. I believe I did that lab running 6.1.x software.
Good Luck!
the infofmation on the blogs r just 100% precise and very very allow to to say vey again clear thanx for the solutions you provide
Charles Milanya
Nairobi
kenya.
Hi Michael,
I tried a ip-acl on Nortel 5510:
qos ip-acl name “mon” src-ip 172.16.2.1/32 protocol 6 src-port-min 80 src-port-max 80
qos ip-acl name “mon” src-ip 172.16.2.1/32 protocol 6 src-port-min 3389 src-port-max 3389
qos ip-acl name “mon” drop-action enable set-drop-prec low-drop
qos acl-assign port 3 acl-type ip name “mon”
After it – the PC (172.16.2.1) can’t get a answer for arp-request, and as a result – no traffic …
If add a static ARP record on the PC – all is work and the ip-acl too.
How I can grant a permit for ARP, HDCP and etc. traffic?
Best regards,
Konstantin.
Hi Drunkard,
Those ACLs should only examine IP packets, do you have Dynamic ARP Inspection enabled? Are you testing this from a factory default configuration?
Cheers!
Hi Michael,
ARP Inspection is disabled. NO – my configuration isn’t a factory default configuration … but I don’t configured ARP on the switch! Without a ip-acl: ARP and DHCP working well.
And after: qos acl-assign port 3 acl-type ip name “mon”
stop working, even if a ACL have one rule permit all trafic.
Hi Drunkard,
It appears you are right… the IP-ACL will only permit IP traffic (Ethertype 0×0800) and blocks ARP (Ethertype 0×0806). I’m not sure if you can attach a L2-ACL to allow ARP. I’m very busy these days but if I have time I’ll try to test it out myself.
Cheers!
Hi Michael,
I add L2-ACL:
qos l2-acl name “monL2″ drop-action disable
qos acl-assign port 3 acl-type l2 name “monL2”
but it didn’t help :(
Best regards.
Drunkard,
I had the same problem.
Try adding an L2-ACL in which you specify the arp ethertype (0×0806)
qos l2-acl name “monL2″ ethertype 0×0806 drop-action disable
qos l2-acl name “monL2″ drop-action disable
even the L2 ethertype “ignore” doesn’t take arp into account…
It worked for me.
Sorry my previous post is wrong.
I messed up in my test, it’s still not working as expected…
Wondering if anyone has been able to get this working. I am having the same issue as drunkard. I have the IP ACL’s in place and they work for about 5 minutes then all traffic is blocked. I am locking down a port on a 5510 so the printer is only permitted to send and receive traffic from two different host addresses. I loaded wireshark on one of the hosts and ran a continuous ping, and the system tries to arp for the mac address of the printer, at this point all traffic stops. I tried the L2 ethertype ACL mentioned above with no success. I am running version 614011s code on teh switch.
qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.52.5/32
qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.52.4/32
qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.2.88/32
qos ip-acl name hurcoll4250 src-ip 192.168.52.5/32 dst-ip 192.168.53.1/32
qos ip-acl name hurcoll4250 src-ip 192.168.52.4/32 dst-ip 192.168.53.1/32
qos ip-acl name hurcoll4250 src-ip 192.168.2.88/32 dst-ip 192.168.53.1/32
qos ip-acl name hurcoll4250 drop-action enable
qos acl-assign port 40 acl-type ip name hurcoll4250
I have the same problem! There’s no Issues?
Is there any way to restrict just SNMP and allow everything else?
We have some staff that kick off SNMP scanners which I would like to block.
Thanks
You can use an Access Policy on the ERS 8600/8800 series switches.