Traffic Filters and ACLs for the Ethernet Routing Switch 5000

1105094_15304690There have been a few recent comments on the blog and a few questions on the discussion forum around how ACLs (traffic filters) work on the Ethernet Routing Switch 5520. I thought I would take a few minutes to dive into the subject and perhaps either answer some of those questions or foster some additional discussion. Let me get right to the most popular question.

Is the Ethernet Routing Switch 5510/5520/5530 capable of performing basic IP filtering? Yes.

Prior to software release 5.0 you had to-do all filtering in QoS policies. It seems a lot of confusion comes from the fact that in order to perform IP filtering similar to an ACL in a Cisco router you had to create a QoS policy. With the release of 5.0 software you can now create fairly straight forward ACLs. You can only do this from the CLI or WEB interface, there’s no support for ACLs in Java Device Manager.

Let me walk you through a simple example.

I started with a ERS-5520-PwR and factory reset the switch I gave it a management IP address of 192.168.1.50 (VLAN 1);

5520-48T-PWR(config)#ip address switch 192.168.1.50
5520-48T-PWR(config)#ip default-gateway 192.168.1.1
5520-48T-PWR(config)#ip address netmask 255.255.255.0

I created VLAN 100 and moved ports 13-48 to VLAN 100 making sure to set the PVID;

5520-48T-PWR(config)#vlan members remove 1 13-48
5520-48T-PWR(config)#vlan create 100 type port
5520-48T-PWR(config)#vlan members add 100 14-48
5520-48T-PWR(config)#vlan ports 13-48 pvid 100

I enabled IP routing on the switch (remember out of the box it’s just a Layer 2 switch);

5520-48T-PWR(config)#ip routing

I enabled IP routing for VLAN 1 and then gave VLAN 100 an IP address/interface;

5520-48T-PWR(config)#interface vlan 1
5520-48T-PWR(config-if)#ip routing
5520-48T-PWR(config)#exit

5520-48T-PWR(config)#interface vlan 100
5520-48T-PWR(config-if)#ip address 192.168.100.1 255.255.255.0 2
5520-48T-PWR(config-if)#ip routing
5520-48T-PWR(config)#exit

Let’s just making sure that everything looks right before we get the real meat of this post;

5520-48T-PWR#show vlan ip
==============================================================================
Vid  ifIndex Address         Mask            MacAddress        Offset Routing
==============================================================================
Primary Interfaces
------------------------------------------------------------------------------
1    10001   192.168.1.50    255.255.255.0   00:1F:0A:CE:XX:40 1      Enabled
100  10100   192.168.100.1   255.255.255.0   00:1F:0A:CE:XX:41 2      Enabled
------------------------------------------------------------------------------
% Total of Primary Interfaces: 2

The two IP interfaces are configured properly and have routing enabled. Let’s make sure that the routing table is correct;

5520-48T-PWR#show ip route
===============================================================================
                                        Ip Route
===============================================================================
DST             MASK            NEXT            COST    VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0         0.0.0.0         192.168.1.1     10       1    1     S  IB     5
192.168.1.0     255.255.255.0   192.168.1.50    1        1    ----  C  DB     0
192.168.100.0   255.255.255.0   192.168.100.1   1        100  ----  C  DB     0
Total Routes: 3
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HW

Here’s where the real work starts. I created an ACL named “testacl” and then assigned it to port 23.

5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80
5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable
5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl

In the statements above I created an ACL that will allow traffic sourced from 192.168.100.0/24 to a destination TCP port of 80 to pass unrestricted while blocking (dropping) all other traffic. I’ve assigned that ACL to port 23 where I have a test PC connected to the switch.

Let’s just pretend that you forgot to allow DNS (UDP/53) queries in your IP filter so let’s back out the ACL and recreate it.

First we need to determine the ACL number that was assigned to our ACL called “testacl”.  We can do that by issuing the following command;

5520-48T-PWR#show qos acl
Id               Name              State   ACL  Unit/Port Storage
Type             Type
_____ ____________________________ ________ ____ _________ ________
1     testacl                      Enabled  IP   1/23      NonVol

We also need to know how many rules are in the IP ACL that’s being referenced above. We can do that with the following command;

5520-48T-PWR#show qos ip-acl

Id: 1
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: TCP
Destination L4 Port Min: 80
Destination L4 Port Max: 80
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Now we can remove the ACL from port 23 and then delete it from the switch;

5520-48T-PWR(config)#no qos acl-assign 1
5520-48T-PWR(config)#no qos ip-acl 2
5520-48T-PWR(config)#no qos ip-acl 1

Now we’ll rebuild the ACL allowing DNS queries to the broadband router;

5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 dst-ip 192.168.1.1/32 protocol 17 dst-port-min 53 dst-port-max 53
5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable
5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl

Now that we have our filter let’s see what it looks like (I’m not a fan of this output format);

5520-48T-PWR#show qos ip-acl

Id: 1
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: TCP
Destination L4 Port Min: 80
Destination L4 Port Max: 80
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: 192.168.1.1/32
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: UDP
Destination L4 Port Min: 53
Destination L4 Port Max: 53
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 3
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

That’s a basic ACL filter using Layer 3 parameters. There is a Technical Configuration Guide available from Nortel/Avaya that provides additional examples and covers Filtering and QoS configuration of the Ethernet Routing Switch 5500 series switches. The guide is a little dated by still a very useful resource in my opinion.

Cheers!

Reference;
2008_04_01_Filters_and_QOS_Configurati0on_for_Ethernet_Routing_Switch_5500_TCG_NN48500559.pdf

Comments on this entry are closed.

  • Richard July 19, 2010, 9:28 pm

    I’ve been hearing people pronounce ACL like ackle. My inner Beavis and Butthead made me laugh at the name you chose for your test ACL: testacl. Sorry!

    Keep up the great work! Your website is a great resource.

  • Nug July 20, 2010, 11:32 pm

    Interesting post, smart that Nortel/Avaya are making it easier for Cisco folk to configure their switches. The thing that bothers me most about the 5500 filters is the port range limitation, from PDF: “Range support is limited to a certain extent, however, because ranges are represented as a bitmask within the overall classification mask, and not with explicit minimum and maximum values”

    • Michael McNamara July 21, 2010, 10:17 pm

      Hi Nug,

      I can’t argue with you there… I must have read that page/section at least two or three times. What I would give for the classic IP filters of the BayRS BCN/BLN/ASN/ARN routers… those were straight forward, easy to write and worked like a charm.

      Thanks for the comment!

  • Craig November 5, 2010, 11:25 am

    Does IP routing have to be enabled in order for theses to work?

    • Michael McNamara November 5, 2010, 5:40 pm

      Hi Craig,

      I don’t believe IP routing/forwarding needs to be enabled to utilize the ACL feature, actually I’m pretty sure it should work regardless of whether the switch is acting as a Layer 2 device or Layer 3 device.

      Cheers!

  • martina March 21, 2011, 9:49 am

    Hi,

    I have some problem with ACL on ERS55xx stack of two switches, ERS5530 and ERS5698, software version 6.1.

    I have created interface group (with only one interface) and associated it with specific policy rule, but now I can not add more interfaces to this group, only one port can be assigned to the group. There is an error message saying: insufficient hardware resources to support role association.

    Any idea where could be the problem? Interfaces belongs to ERS5698 switch.
    regards,
    Martina

    • Michael McNamara March 21, 2011, 6:25 pm

      Hi Martina,

      There is a limit to the number of filters you can apply since they are performed in hardware and not software… the limit includes some of the built-in features such as DHCP snooping, ARP inspection, IP source guard, etc. I believe there is a command in the CLI interface that will show you how many remaining filters (resources) you can construct although I don’t recall the command at this minute.

      I believe that’s probably part of your problem.

      Good Luck!

  • martina March 22, 2011, 3:44 am

    Hi,

    it can be defined max 256 filters per interface, I have 93 filters.
    Could be something else?

    Regards

    • Michael McNamara March 22, 2011, 12:16 pm

      Hi Martina,

      The error message suggests that you are over extending the available resources.

      Here’s a blurb from page 10 of the Technical Configuration Guide above;

      “Classification with the Ethernet Routing Switch 5500 has some fundamental classification limitations, imposed by hardware, that affect classification overall. The foremost limitation is related to the concept, introduced by the latest classification hardware and the supporting data model, of “classification masks”. A classification mask specifies the fields within a frame that will be used for matching purposes. The mask itself does not specify the data to be matched but rather indicates which fields, or portions thereof, in the various protocol headers (e.g., MAC, IPv4, IPv6 headers) will be examined during the classification process. Currently, a maximum of 15 classification masks and 114 classifiers are available per port for user-defined traffic classification. This effectively means that 15 or fewer unique combinations of classification criteria (i.e., Layer 2, 3 and 4 data) can be specified per port. However, multiple data sets can leverage the same classification mask. This means that, as long as the same protocol data fields are being matched (e.g., IPv4 source address, IPv6 flow label, Layer 2 802.1p User Priority and VLAN Id), a much larger number of classifiers, up to a maximum of 114 per port, can be defined containing unique data values for matching against the fields/offsets identified by the classification mask.”

      I’m sure the ERS 5600 series switches might have more “hardware” than the original ERS 5500 series switches but the error message suggests that’s where you should focus your attention.

      You can try posting in the discussion forums, perhaps someone else will have a better answer.

      Good Luck!

  • jitendra June 16, 2011, 3:51 am

    Hello
    When i have applied ACL on ports that is in same VLAN, acl works fine but nodes in that vlan stops communicating.

    • Michael McNamara June 19, 2011, 11:29 pm

      Hi jitendra,

      I’m not quite sure I understand… how is the ACL working fine if it’s disrupting communications to/from noes in that VLAN?

      Good Luck!

  • Rhys June 23, 2011, 7:02 am

    Hi,

    I am having trouble with ACL’s on the ERS 5000 series switches. I have the following configuration:

    qos ip-acl name test src-ip 10.0.0.5/32 dst-ip 10.0.0.100/32 protocol 6 dst-port-min 22 dst-port-max 22 drop action disable

    qos ip-acl name test src-ip 10.0.0.5/32 dst-ip 10.0.0.100/32 protocol 17 dst-port-min 161 dst-port-max 161 drop action disable

    qos ip-acl name test dst-ip 10.0.0.100/32 drop-action enable

    qos ip-acl name test drop-action disable

    The above is applied to several ports.

    The access list is supposed to allow SSH and SNMP to the switch from a specified range (rules one and two) block any other access to the switch (rule three) and allow any other device to communicate with anything (rule four).
    Rules 1-3 seem to work; I can SSH and SNMP to the switch from the specified IP range with no problems, ICMP and telnet are blocked.

    I can then contact some devices on the subnet (.20) but not others (.201 and .202)

    I have also tried applying rule four using 0.0.0.0/0 as the src and dst but this gives the same result.

    Any help would be greatly appreciated

    Thanks,

    Rhys.

    • Michael McNamara June 26, 2011, 10:33 pm

      Hi Rhys,

      I believe the drop needs to be the last statement in your ACL. If you want to allow other traffic through the filter you need to create a rule in the ACL before your last statement allow that specific traffic.

      Cheers!

  • Tim July 28, 2011, 5:35 am

    Hi Michael,
    I’m an ex-Nortel-er – your site is great. I am having some issues configuring my ERS 5520 – I’m trying to create a DMZ and need to create an ACL/filter to block hosts on the DMZ segment from contacting the ‘secure’ segment. The NT documentation seems to indicate that I should be able to create an ip-element filtering on TCP flags (e.g. just ‘SYN’) but when I go to do this on my switch, the tcp-control option isn’t there. Any suggestions? I keep reading the documentation but don’t find anything. Could I just create a system element with the byte pattern I’m looking for?
    Best regards,
    Tim

    • Michael McNamara August 4, 2011, 11:49 pm

      Hi Tim,

      You’re probably not running the latest and greatest software release. I believe I did that lab running 6.1.x software.

      Good Luck!

  • charles July 31, 2011, 3:33 am

    the infofmation on the blogs r just 100% precise and very very allow to to say vey again clear thanx for the solutions you provide

    Charles Milanya
    Nairobi
    kenya.

  • Drunkard August 26, 2011, 5:28 am

    Hi Michael,

    I tried a ip-acl on Nortel 5510:
    qos ip-acl name “mon” src-ip 172.16.2.1/32 protocol 6 src-port-min 80 src-port-max 80
    qos ip-acl name “mon” src-ip 172.16.2.1/32 protocol 6 src-port-min 3389 src-port-max 3389
    qos ip-acl name “mon” drop-action enable set-drop-prec low-drop
    qos acl-assign port 3 acl-type ip name “mon”

    After it – the PC (172.16.2.1) can’t get a answer for arp-request, and as a result – no traffic …
    If add a static ARP record on the PC – all is work and the ip-acl too.

    How I can grant a permit for ARP, HDCP and etc. traffic?

    Best regards,
    Konstantin.

    • Michael McNamara August 26, 2011, 10:22 am

      Hi Drunkard,

      Those ACLs should only examine IP packets, do you have Dynamic ARP Inspection enabled? Are you testing this from a factory default configuration?

      Cheers!

  • Drunkard August 27, 2011, 12:23 am

    Hi Michael,

    ARP Inspection is disabled. NO – my configuration isn’t a factory default configuration … but I don’t configured ARP on the switch! Without a ip-acl: ARP and DHCP working well.
    And after: qos acl-assign port 3 acl-type ip name “mon”
    stop working, even if a ACL have one rule permit all trafic.

    • Michael McNamara August 31, 2011, 8:22 pm

      Hi Drunkard,

      It appears you are right… the IP-ACL will only permit IP traffic (Ethertype 0x0800) and blocks ARP (Ethertype 0x0806). I’m not sure if you can attach a L2-ACL to allow ARP. I’m very busy these days but if I have time I’ll try to test it out myself.

      Cheers!

      • Drunkard September 6, 2011, 10:26 pm

        Hi Michael,

        I add L2-ACL:
        qos l2-acl name “monL2″ drop-action disable
        qos acl-assign port 3 acl-type l2 name “monL2”
        but it didn’t help :(

        Best regards.

        • Alex September 14, 2011, 9:21 am

          Drunkard,

          I had the same problem.
          Try adding an L2-ACL in which you specify the arp ethertype (0x0806)

          qos l2-acl name “monL2″ ethertype 0x0806 drop-action disable
          qos l2-acl name “monL2″ drop-action disable

          even the L2 ethertype “ignore” doesn’t take arp into account…

          It worked for me.

          • Alex September 14, 2011, 10:40 am

            Sorry my previous post is wrong.
            I messed up in my test, it’s still not working as expected…

  • Jeff October 18, 2011, 4:44 pm

    Wondering if anyone has been able to get this working. I am having the same issue as drunkard. I have the IP ACL’s in place and they work for about 5 minutes then all traffic is blocked. I am locking down a port on a 5510 so the printer is only permitted to send and receive traffic from two different host addresses. I loaded wireshark on one of the hosts and ran a continuous ping, and the system tries to arp for the mac address of the printer, at this point all traffic stops. I tried the L2 ethertype ACL mentioned above with no success. I am running version 614011s code on teh switch.

    qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.52.5/32
    qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.52.4/32
    qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.2.88/32
    qos ip-acl name hurcoll4250 src-ip 192.168.52.5/32 dst-ip 192.168.53.1/32
    qos ip-acl name hurcoll4250 src-ip 192.168.52.4/32 dst-ip 192.168.53.1/32
    qos ip-acl name hurcoll4250 src-ip 192.168.2.88/32 dst-ip 192.168.53.1/32

    qos ip-acl name hurcoll4250 drop-action enable

    qos acl-assign port 40 acl-type ip name hurcoll4250

    • JM October 1, 2012, 3:34 am

      I have the same problem! There’s no Issues?

  • Nick June 7, 2012, 10:03 am

    Is there any way to restrict just SNMP and allow everything else?
    We have some staff that kick off SNMP scanners which I would like to block.

    Thanks

    • Michael McNamara June 11, 2012, 9:52 pm

      You can use an Access Policy on the ERS 8600/8800 series switches.

  • Rajesh Bisht May 31, 2013, 6:31 am

    Hi Michael,

    do you have any post on inter-VLAN communication restriction in ERS 8800. I want to block all communication between differnt VLANs apart from the server VLAN.

    I am new to Nortel/Avaya. I have worked all my life on Cisco & it is pretty easy in Cisco. But, in Nortel, it seems to be too confusing. I tried going through QoS & IP filtering on ERS 8800, but not able to understand much.

    if you have any post/blog on that, it will help.

    Regards

    Rajesh

  • Ekram March 31, 2014, 4:14 am

    Hi Michael, Hope you are doing good!!!

    I am trying to configure QoS based on UDP ports on ERS 5520 SW v6.3.1 using below given command, but its throwing error:
    “qos traffic-profile classifier name Test protocol 17 dst-port-min 54600 dst-port-max 54699 update-dscp 46 update-1p 6 block one eval-order 20 committed-rate 10000 committed-burst-size 4 drop-out-action disable update-dscp-out-action 16″

    Error: Specified Destination Layer 4 min/max range not supported

    Same command is working fine on ERS 4500…..could you please suggest?

    • Michael McNamara April 4, 2014, 1:42 pm

      Hi Ekram,

      I would guess it’s a bug or limitation of the hardware. I would suggest you contact Avaya if you need to know the precise reason.

      Cheers!

      • Ekram April 15, 2014, 12:06 am

        Thanks Michael, I got the solution…..we need to split UDP port range into multiple ranges:

        Port Range Functionality:
        The Ethernet Routing Switch 5500 has the ability to specify a range of values supported by the QoS data model for several classification components (e.g., Layer 4 source and destination port numbers, VLAN Id values). Range support is limited to a certain extent, however, because ranges are represented as a bitmask within the overall classification mask, and not with explicit minimum and maximum values. A range must thus be specified by indicating which bits in the given field (e.g., Layer 4 source port) are „ignored‟ (i.e., set to 0). Taking into account this limitation, the following rules are used to determine valid range values:
        I. Minimum value: n
        Maximum value: n
        >> Example: min: 20 max: 20 (min = max equates to a range of 1)
        II. Minimum value: 0
        Maximum value: (2^n) – 1
        >> Example: min: 0 max: 63 (n = 6)
        III. Minimum value: even number
        Maximum value: minimum port number in binary with rightmost consecutive 0‟s replaced with 1‟s using the formula: Port Maximum = ((Port minimum + 2n) -1)) where n equal number of consecutive trailing zero‟s.
        >> Example: min: 128 max: 255 ((128 + 27) – 1 = 255; 128 in binary has 7 consecutive trailing zero‟s)
        Specified ranges that do not adhere to one of these three rules cannot be supported and will be flagged as erroneous.

  • Andrey Zverev May 6, 2014, 5:59 am

    Hi Michael,
    at first thank you for your blog, it’s really helped me scores of times.
    And my question:
    have you ever config an Avaya VSP 7000 switch? Is ACL configuration like this working on Avaya VSP 7000 ? I looked for some information about Traffic Filters and ACLs for the Avaya VSP 7000. There is no any word about it in VSP7000_10_3_Doc_Collection_04_20140402.zip (I have just doc collection, not device to test unfortunately) Meanwhile i tested ACL configuration from this page on my ERS 4524GT with SW:v5.7.0.008 and it works fine. And it will be really strange that it works on ERS 4500 and doesn’t work on VSP 7000.

7ads6x98y