There have been a few recent comments on the blog and a few questions on the discussion forum around how ACLs (traffic filters) work on the Ethernet Routing Switch 5520. I thought I would take a few minutes to dive into the subject and perhaps either answer some of those questions or foster some additional discussion. Let me get right to the most popular question.
Is the Ethernet Routing Switch 5510/5520/5530 capable of performing basic IP filtering? Yes.
Prior to software release 5.0 you had to-do all filtering in QoS policies. It seems a lot of confusion comes from the fact that in order to perform IP filtering similar to an ACL in a Cisco router you had to create a QoS policy. With the release of 5.0 software you can now create fairly straight forward ACLs. You can only do this from the CLI or WEB interface, there’s no support for ACLs in Java Device Manager.
Let me walk you through a simple example.
I started with a ERS-5520-PwR and factory reset the switch I gave it a management IP address of 192.168.1.50 (VLAN 1);
5520-48T-PWR(config)#ip address switch 192.168.1.50 5520-48T-PWR(config)#ip default-gateway 192.168.1.1 5520-48T-PWR(config)#ip address netmask 255.255.255.0
I created VLAN 100 and moved ports 13-48 to VLAN 100 making sure to set the PVID;
5520-48T-PWR(config)#vlan members remove 1 13-48 5520-48T-PWR(config)#vlan create 100 type port 5520-48T-PWR(config)#vlan members add 100 14-48 5520-48T-PWR(config)#vlan ports 13-48 pvid 100
I enabled IP routing on the switch (remember out of the box it’s just a Layer 2 switch);
5520-48T-PWR(config)#ip routing
I enabled IP routing for VLAN 1 and then gave VLAN 100 an IP address/interface;
5520-48T-PWR(config)#interface vlan 1 5520-48T-PWR(config-if)#ip routing 5520-48T-PWR(config)#exit 5520-48T-PWR(config)#interface vlan 100 5520-48T-PWR(config-if)#ip address 192.168.100.1 255.255.255.0 2 5520-48T-PWR(config-if)#ip routing 5520-48T-PWR(config)#exit
Let’s just making sure that everything looks right before we get the real meat of this post;
5520-48T-PWR#show vlan ip ============================================================================== Vid ifIndex Address Mask MacAddress Offset Routing ============================================================================== Primary Interfaces ------------------------------------------------------------------------------ 1 10001 192.168.1.50 255.255.255.0 00:1F:0A:CE:XX:40 1 Enabled 100 10100 192.168.100.1 255.255.255.0 00:1F:0A:CE:XX:41 2 Enabled ------------------------------------------------------------------------------ % Total of Primary Interfaces: 2
The two IP interfaces are configured properly and have routing enabled. Let’s make sure that the routing table is correct;
5520-48T-PWR#show ip route
===============================================================================
Ip Route
===============================================================================
DST MASK NEXT COST VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0 0.0.0.0 192.168.1.1 10 1 1 S IB 5
192.168.1.0 255.255.255.0 192.168.1.50 1 1 ---- C DB 0
192.168.100.0 255.255.255.0 192.168.100.1 1 100 ---- C DB 0
Total Routes: 3
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HWHere’s where the real work starts. I created an ACL named “testacl” and then assigned it to port 23.
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80 5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable 5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl
In the statements above I created an ACL that will allow traffic sourced from 192.168.100.0/24 to a destination TCP port of 80 to pass unrestricted while blocking (dropping) all other traffic. I’ve assigned that ACL to port 23 where I have a test PC connected to the switch.
Let’s just pretend that you forgot to allow DNS (UDP/53) queries in your IP filter so let’s back out the ACL and recreate it.
First we need to determine the ACL number that was assigned to our ACL called “testacl”. We can do that by issuing the following command;
5520-48T-PWR#show qos acl Id Name State ACL Unit/Port Storage Type Type _____ ____________________________ ________ ____ _________ ________ 1 testacl Enabled IP 1/23 NonVol
We also need to know how many rules are in the IP ACL that’s being referenced above. We can do that with the following command;
5520-48T-PWR#show qos ip-acl Id: 1 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: TCP Destination L4 Port Min: 80 Destination L4 Port Max: 80 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 2 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: Ignore DSCP: Ignore IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: Yes Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile
Now we can remove the ACL from port 23 and then delete it from the switch;
5520-48T-PWR(config)#no qos acl-assign 1 5520-48T-PWR(config)#no qos ip-acl 2 5520-48T-PWR(config)#no qos ip-acl 1
Now we’ll rebuild the ACL allowing DNS queries to the broadband router;
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80 5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 dst-ip 192.168.1.1/32 protocol 17 dst-port-min 53 dst-port-max 53 5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable 5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl
Now that we have our filter let’s see what it looks like (I’m not a fan of this output format);
5520-48T-PWR#show qos ip-acl Id: 1 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: TCP Destination L4 Port Min: 80 Destination L4 Port Max: 80 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 2 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: 192.168.1.1/32 Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: UDP Destination L4 Port Min: 53 Destination L4 Port Max: 53 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 3 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: Ignore DSCP: Ignore IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: Yes Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile
That’s a basic ACL filter using Layer 3 parameters. There is a Technical Configuration Guide available from Nortel/Avaya that provides additional examples and covers Filtering and QoS configuration of the Ethernet Routing Switch 5500 series switches. The guide is a little dated by still a very useful resource in my opinion.
Cheers!
I’ve been hearing people pronounce ACL like ackle. My inner Beavis and Butthead made me laugh at the name you chose for your test ACL: testacl. Sorry!
Keep up the great work! Your website is a great resource.
That was pretty good Rich… gave me a good laugh!
Interesting post, smart that Nortel/Avaya are making it easier for Cisco folk to configure their switches. The thing that bothers me most about the 5500 filters is the port range limitation, from PDF: “Range support is limited to a certain extent, however, because ranges are represented as a bitmask within the overall classification mask, and not with explicit minimum and maximum values”
Hi Nug,
I can’t argue with you there… I must have read that page/section at least two or three times. What I would give for the classic IP filters of the BayRS BCN/BLN/ASN/ARN routers… those were straight forward, easy to write and worked like a charm.
Thanks for the comment!
Does IP routing have to be enabled in order for theses to work?
Hi Craig,
I don’t believe IP routing/forwarding needs to be enabled to utilize the ACL feature, actually I’m pretty sure it should work regardless of whether the switch is acting as a Layer 2 device or Layer 3 device.
Cheers!
Hi,
I have some problem with ACL on ERS55xx stack of two switches, ERS5530 and ERS5698, software version 6.1.
I have created interface group (with only one interface) and associated it with specific policy rule, but now I can not add more interfaces to this group, only one port can be assigned to the group. There is an error message saying: insufficient hardware resources to support role association.
Any idea where could be the problem? Interfaces belongs to ERS5698 switch.
regards,
Martina
Hi Martina,
There is a limit to the number of filters you can apply since they are performed in hardware and not software… the limit includes some of the built-in features such as DHCP snooping, ARP inspection, IP source guard, etc. I believe there is a command in the CLI interface that will show you how many remaining filters (resources) you can construct although I don’t recall the command at this minute.
I believe that’s probably part of your problem.
Good Luck!
Hi,
it can be defined max 256 filters per interface, I have 93 filters.
Could be something else?
Regards
Hi Martina,
The error message suggests that you are over extending the available resources.
Here’s a blurb from page 10 of the Technical Configuration Guide above;
“Classification with the Ethernet Routing Switch 5500 has some fundamental classification limitations, imposed by hardware, that affect classification overall. The foremost limitation is related to the concept, introduced by the latest classification hardware and the supporting data model, of “classification masks”. A classification mask specifies the fields within a frame that will be used for matching purposes. The mask itself does not specify the data to be matched but rather indicates which fields, or portions thereof, in the various protocol headers (e.g., MAC, IPv4, IPv6 headers) will be examined during the classification process. Currently, a maximum of 15 classification masks and 114 classifiers are available per port for user-defined traffic classification. This effectively means that 15 or fewer unique combinations of classification criteria (i.e., Layer 2, 3 and 4 data) can be specified per port. However, multiple data sets can leverage the same classification mask. This means that, as long as the same protocol data fields are being matched (e.g., IPv4 source address, IPv6 flow label, Layer 2 802.1p User Priority and VLAN Id), a much larger number of classifiers, up to a maximum of 114 per port, can be defined containing unique data values for matching against the fields/offsets identified by the classification mask.”
I’m sure the ERS 5600 series switches might have more “hardware” than the original ERS 5500 series switches but the error message suggests that’s where you should focus your attention.
You can try posting in the discussion forums, perhaps someone else will have a better answer.
Good Luck!
Hello
When i have applied ACL on ports that is in same VLAN, acl works fine but nodes in that vlan stops communicating.
Hi jitendra,
I’m not quite sure I understand… how is the ACL working fine if it’s disrupting communications to/from noes in that VLAN?
Good Luck!
Hi,
I am having trouble with ACL’s on the ERS 5000 series switches. I have the following configuration:
qos ip-acl name test src-ip 10.0.0.5/32 dst-ip 10.0.0.100/32 protocol 6 dst-port-min 22 dst-port-max 22 drop action disable
qos ip-acl name test src-ip 10.0.0.5/32 dst-ip 10.0.0.100/32 protocol 17 dst-port-min 161 dst-port-max 161 drop action disable
qos ip-acl name test dst-ip 10.0.0.100/32 drop-action enable
qos ip-acl name test drop-action disable
The above is applied to several ports.
The access list is supposed to allow SSH and SNMP to the switch from a specified range (rules one and two) block any other access to the switch (rule three) and allow any other device to communicate with anything (rule four).
Rules 1-3 seem to work; I can SSH and SNMP to the switch from the specified IP range with no problems, ICMP and telnet are blocked.
I can then contact some devices on the subnet (.20) but not others (.201 and .202)
I have also tried applying rule four using 0.0.0.0/0 as the src and dst but this gives the same result.
Any help would be greatly appreciated
Thanks,
Rhys.
Hi Rhys,
I believe the drop needs to be the last statement in your ACL. If you want to allow other traffic through the filter you need to create a rule in the ACL before your last statement allow that specific traffic.
Cheers!
Hi Michael,
I’m an ex-Nortel-er – your site is great. I am having some issues configuring my ERS 5520 – I’m trying to create a DMZ and need to create an ACL/filter to block hosts on the DMZ segment from contacting the ‘secure’ segment. The NT documentation seems to indicate that I should be able to create an ip-element filtering on TCP flags (e.g. just ‘SYN’) but when I go to do this on my switch, the tcp-control option isn’t there. Any suggestions? I keep reading the documentation but don’t find anything. Could I just create a system element with the byte pattern I’m looking for?
Best regards,
Tim
Hi Tim,
You’re probably not running the latest and greatest software release. I believe I did that lab running 6.1.x software.
Good Luck!
the infofmation on the blogs r just 100% precise and very very allow to to say vey again clear thanx for the solutions you provide
Charles Milanya
Nairobi
kenya.
Hi Michael,
I tried a ip-acl on Nortel 5510:
qos ip-acl name “mon” src-ip 172.16.2.1/32 protocol 6 src-port-min 80 src-port-max 80
qos ip-acl name “mon” src-ip 172.16.2.1/32 protocol 6 src-port-min 3389 src-port-max 3389
qos ip-acl name “mon” drop-action enable set-drop-prec low-drop
qos acl-assign port 3 acl-type ip name “mon”
After it – the PC (172.16.2.1) can’t get a answer for arp-request, and as a result – no traffic …
If add a static ARP record on the PC – all is work and the ip-acl too.
How I can grant a permit for ARP, HDCP and etc. traffic?
Best regards,
Konstantin.
Hi Drunkard,
Those ACLs should only examine IP packets, do you have Dynamic ARP Inspection enabled? Are you testing this from a factory default configuration?
Cheers!
Hi Michael,
ARP Inspection is disabled. NO – my configuration isn’t a factory default configuration … but I don’t configured ARP on the switch! Without a ip-acl: ARP and DHCP working well.
And after: qos acl-assign port 3 acl-type ip name “mon”
stop working, even if a ACL have one rule permit all trafic.
Hi Drunkard,
It appears you are right… the IP-ACL will only permit IP traffic (Ethertype 0x0800) and blocks ARP (Ethertype 0x0806). I’m not sure if you can attach a L2-ACL to allow ARP. I’m very busy these days but if I have time I’ll try to test it out myself.
Cheers!
Hi Michael,
I add L2-ACL:
qos l2-acl name “monL2” drop-action disable
qos acl-assign port 3 acl-type l2 name “monL2”
but it didn’t help :(
Best regards.
Drunkard,
I had the same problem.
Try adding an L2-ACL in which you specify the arp ethertype (0x0806)
qos l2-acl name “monL2” ethertype 0x0806 drop-action disable
qos l2-acl name “monL2″ drop-action disable
even the L2 ethertype “ignore” doesn’t take arp into account…
It worked for me.
Sorry my previous post is wrong.
I messed up in my test, it’s still not working as expected…
Wondering if anyone has been able to get this working. I am having the same issue as drunkard. I have the IP ACL’s in place and they work for about 5 minutes then all traffic is blocked. I am locking down a port on a 5510 so the printer is only permitted to send and receive traffic from two different host addresses. I loaded wireshark on one of the hosts and ran a continuous ping, and the system tries to arp for the mac address of the printer, at this point all traffic stops. I tried the L2 ethertype ACL mentioned above with no success. I am running version 614011s code on teh switch.
qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.52.5/32
qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.52.4/32
qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.2.88/32
qos ip-acl name hurcoll4250 src-ip 192.168.52.5/32 dst-ip 192.168.53.1/32
qos ip-acl name hurcoll4250 src-ip 192.168.52.4/32 dst-ip 192.168.53.1/32
qos ip-acl name hurcoll4250 src-ip 192.168.2.88/32 dst-ip 192.168.53.1/32
qos ip-acl name hurcoll4250 drop-action enable
qos acl-assign port 40 acl-type ip name hurcoll4250
I have the same problem! There’s no Issues?
Is there any way to restrict just SNMP and allow everything else?
We have some staff that kick off SNMP scanners which I would like to block.
Thanks
You can use an Access Policy on the ERS 8600/8800 series switches.
Hi Michael,
do you have any post on inter-VLAN communication restriction in ERS 8800. I want to block all communication between differnt VLANs apart from the server VLAN.
I am new to Nortel/Avaya. I have worked all my life on Cisco & it is pretty easy in Cisco. But, in Nortel, it seems to be too confusing. I tried going through QoS & IP filtering on ERS 8800, but not able to understand much.
if you have any post/blog on that, it will help.
Regards
Rajesh
Hi Michael, Hope you are doing good!!!
I am trying to configure QoS based on UDP ports on ERS 5520 SW v6.3.1 using below given command, but its throwing error:
“qos traffic-profile classifier name Test protocol 17 dst-port-min 54600 dst-port-max 54699 update-dscp 46 update-1p 6 block one eval-order 20 committed-rate 10000 committed-burst-size 4 drop-out-action disable update-dscp-out-action 16”
Error: Specified Destination Layer 4 min/max range not supported
Same command is working fine on ERS 4500…..could you please suggest?
Hi Ekram,
I would guess it’s a bug or limitation of the hardware. I would suggest you contact Avaya if you need to know the precise reason.
Cheers!
Thanks Michael, I got the solution…..we need to split UDP port range into multiple ranges:
Port Range Functionality:
The Ethernet Routing Switch 5500 has the ability to specify a range of values supported by the QoS data model for several classification components (e.g., Layer 4 source and destination port numbers, VLAN Id values). Range support is limited to a certain extent, however, because ranges are represented as a bitmask within the overall classification mask, and not with explicit minimum and maximum values. A range must thus be specified by indicating which bits in the given field (e.g., Layer 4 source port) are „ignored‟ (i.e., set to 0). Taking into account this limitation, the following rules are used to determine valid range values:
I. Minimum value: n
Maximum value: n
>> Example: min: 20 max: 20 (min = max equates to a range of 1)
II. Minimum value: 0
Maximum value: (2^n) – 1
>> Example: min: 0 max: 63 (n = 6)
III. Minimum value: even number
Maximum value: minimum port number in binary with rightmost consecutive 0‟s replaced with 1‟s using the formula: Port Maximum = ((Port minimum + 2n) -1)) where n equal number of consecutive trailing zero‟s.
>> Example: min: 128 max: 255 ((128 + 27) – 1 = 255; 128 in binary has 7 consecutive trailing zero‟s)
Specified ranges that do not adhere to one of these three rules cannot be supported and will be flagged as erroneous.
Thanks for sharing the solution!
Hi Michael,
at first thank you for your blog, it’s really helped me scores of times.
And my question:
have you ever config an Avaya VSP 7000 switch? Is ACL configuration like this working on Avaya VSP 7000 ? I looked for some information about Traffic Filters and ACLs for the Avaya VSP 7000. There is no any word about it in VSP7000_10_3_Doc_Collection_04_20140402.zip (I have just doc collection, not device to test unfortunately) Meanwhile i tested ACL configuration from this page on my ERS 4524GT with SW:v5.7.0.008 and it works fine. And it will be really strange that it works on ERS 4500 and doesn’t work on VSP 7000.
I have ERS 4550T if I want to apply an ACL such that only subnet 172.22.23.0/24,172.22.24.0/24 and 172.22.25.0/24 able to communicate with 172.27.64.155 and 172.27.64.156 and rest traffic should get blocked .Please let me know to implement this below mentioned configuration are correct or not.
qos ip-acl name allow src-ip 172.22.23.0/24 dst-ip 172.27.64.155/32 drop-action disable
qos ip-acl name allow src-ip 172.22.24.0/24 dst-ip 172.27.64.155/32 drop-action disable
qos ip-acl name allow src-ip 172.22.25.0/24 dst-ip 172.27.64.155/32 drop-action disable
qos ip-acl name allow src-ip 172.22.23.0/24 dst-ip 172.27.64.156/32 drop-action disable
qos ip-acl name allow src-ip 172.22.24.0/24 dst-ip 172.27.64.156/32 drop-action disable
qos ip-acl name allow src-ip 172.22.25.0/24 dst-ip 172.27.64.156/32 drop-action disable