Posts tagged ERS5000

Traffic Filters and ACLs for the Ethernet Routing Switch 5000

25
July 19, 2010
by Michael McNamara in , ,

There have been a few recent comments on the blog and a few questions on the discussion forum around how ACLs (traffic filters) work on the Ethernet Routing Switch 5520. I thought I would take a few minutes to dive into the subject and perhaps either answer some of those questions or foster some additional discussion. Let me get right to the most popular question.

Is the Ethernet Routing Switch 5510/5520/5530 capable of performing basic IP filtering? Yes.

Prior to software release 5.0 you had to-do all filtering in QoS policies. It seems a lot of confusion comes from the fact that in order to perform IP filtering similar to an ACL in a Cisco router you had to create a QoS policy. With the release of 5.0 software you can now create fairly straight forward ACLs. You can only do this from the CLI or WEB interface, there’s no support for ACLs in Java Device Manager.

Let me walk you through a simple example.

I started with a ERS-5520-PwR and factory reset the switch I gave it a management IP address of 192.168.1.50 (VLAN 1);

5520-48T-PWR(config)#ip address switch 192.168.1.50
5520-48T-PWR(config)#ip default-gateway 192.168.1.1
5520-48T-PWR(config)#ip address netmask 255.255.255.0

I created VLAN 100 and moved ports 13-48 to VLAN 100 making sure to set the PVID;

5520-48T-PWR(config)#vlan members remove 1 13-48
5520-48T-PWR(config)#vlan create 100 type port
5520-48T-PWR(config)#vlan members add 100 14-48
5520-48T-PWR(config)#vlan ports 13-48 pvid 100

I enabled IP routing on the switch (remember out of the box it’s just a Layer 2 switch);

5520-48T-PWR(config)#ip routing

I enabled IP routing for VLAN 1 and then gave VLAN 100 an IP address/interface;

5520-48T-PWR(config)#interface vlan 1
5520-48T-PWR(config-if)#ip routing
5520-48T-PWR(config)#exit

5520-48T-PWR(config)#interface vlan 100
5520-48T-PWR(config-if)#ip address 192.168.100.1 255.255.255.0 2
5520-48T-PWR(config-if)#ip routing
5520-48T-PWR(config)#exit

Let’s just making sure that everything looks right before we get the real meat of this post;

5520-48T-PWR#show vlan ip
==============================================================================
Vid  ifIndex Address         Mask            MacAddress        Offset Routing
==============================================================================
Primary Interfaces
------------------------------------------------------------------------------
1    10001   192.168.1.50    255.255.255.0   00:1F:0A:CE:XX:40 1      Enabled
100  10100   192.168.100.1   255.255.255.0   00:1F:0A:CE:XX:41 2      Enabled
------------------------------------------------------------------------------
% Total of Primary Interfaces: 2

The two IP interfaces are configured properly and have routing enabled. Let’s make sure that the routing table is correct;

5520-48T-PWR#show ip route
===============================================================================
                                        Ip Route
===============================================================================
DST             MASK            NEXT            COST    VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0         0.0.0.0         192.168.1.1     10       1    1     S  IB     5
192.168.1.0     255.255.255.0   192.168.1.50    1        1    ----  C  DB     0
192.168.100.0   255.255.255.0   192.168.100.1   1        100  ----  C  DB     0
Total Routes: 3
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HW

Here’s where the real work starts. I created an ACL named “testacl” and then assigned it to port 23.

5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80
5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable
5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl

In the statements above I created an ACL that will allow traffic sourced from 192.168.100.0/24 to a destination TCP port of 80 to pass unrestricted while blocking (dropping) all other traffic. I’ve assigned that ACL to port 23 where I have a test PC connected to the switch.

Let’s just pretend that you forgot to allow DNS (UDP/53) queries in your IP filter so let’s back out the ACL and recreate it.

First we need to determine the ACL number that was assigned to our ACL called “testacl”.  We can do that by issuing the following command;

5520-48T-PWR#show qos acl
Id               Name              State   ACL  Unit/Port Storage
Type             Type
_____ ____________________________ ________ ____ _________ ________
1     testacl                      Enabled  IP   1/23      NonVol

We also need to know how many rules are in the IP ACL that’s being referenced above. We can do that with the following command;

5520-48T-PWR#show qos ip-acl

Id: 1
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: TCP
Destination L4 Port Min: 80
Destination L4 Port Max: 80
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Now we can remove the ACL from port 23 and then delete it from the switch;

5520-48T-PWR(config)#no qos acl-assign 1
5520-48T-PWR(config)#no qos ip-acl 2
5520-48T-PWR(config)#no qos ip-acl 1

Now we’ll rebuild the ACL allowing DNS queries to the broadband router;

5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 dst-ip 192.168.1.1/32 protocol 17 dst-port-min 53 dst-port-max 53
5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable
5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl

Now that we have our filter let’s see what it looks like (I’m not a fan of this output format);

5520-48T-PWR#show qos ip-acl

Id: 1
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: TCP
Destination L4 Port Min: 80
Destination L4 Port Max: 80
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: 192.168.1.1/32
Source Addr/Mask: 192.168.100.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: UDP
Destination L4 Port Min: 53
Destination L4 Port Max: 53
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 3
Name: testacl
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

That’s a basic ACL filter using Layer 3 parameters. There is a Technical Configuration Guide available from Nortel/Avaya that provides additional examples and covers Filtering and QoS configuration of the Ethernet Routing Switch 5500 series switches. The guide is a little dated by still a very useful resource in my opinion.

Cheers!

Reference;
2008_04_01_Filters_and_QOS_Configurati0on_for_Ethernet_Routing_Switch_5500_TCG_NN48500559.pdf

Avaya Technical Configuration Guide for IPFIX

22
June 22, 2010
by Michael McNamara in ,

Avaya has released an updated technical configuration guide detailing how to configure IPFIX on the Ethernet Routing Switch 4500, 5000, 8300 and 8600. The document goes into detail documenting how to configure the different switch models. It also covers Avaya’s IP Flow Manager (IPFM) in significant detail.

I’m curious if anyone out there is using Avaya’s IP Flow Manager and has any thoughts and/or comments to share.

I remember a few folks either here or on the forums commenting that they were using nTop to collect the IPFIX flow information. Anyone have any thoughts about nTop/nProbe?

Cheers!

Image Credit to Network World
Go to Top