I have ERS 4550T if I want to apply an ACL such that only subnet 172.22.23.0/24,172.22.24.0/24 and 172.22.25.0/24 able to communicate with 172.27.64.155 and 172.27.64.156 and rest traffic should get blocked .Please let me know to implement this below mentioned configuration are correct or not.

qos ip-acl name allow src-ip 172.22.23.0/24 dst-ip 172.27.64.155/32 drop-action disable
qos ip-acl name allow src-ip 172.22.24.0/24 dst-ip 172.27.64.155/32 drop-action disable
qos ip-acl name allow src-ip 172.22.25.0/24 dst-ip 172.27.64.155/32 drop-action disable
qos ip-acl name allow src-ip 172.22.23.0/24 dst-ip 172.27.64.156/32 drop-action disable
qos ip-acl name allow src-ip 172.22.24.0/24 dst-ip 172.27.64.156/32 drop-action disable
qos ip-acl name allow src-ip 172.22.25.0/24 dst-ip 172.27.64.156/32 drop-action disable

Thanks for sharing the solution!

Thanks Michael, I got the solution…..we need to split UDP port range into multiple ranges:

Port Range Functionality:
The Ethernet Routing Switch 5500 has the ability to specify a range of values supported by the QoS data model for several classification components (e.g., Layer 4 source and destination port numbers, VLAN Id values). Range support is limited to a certain extent, however, because ranges are represented as a bitmask within the overall classification mask, and not with explicit minimum and maximum values. A range must thus be specified by indicating which bits in the given field (e.g., Layer 4 source port) are „ignored‟ (i.e., set to 0). Taking into account this limitation, the following rules are used to determine valid range values:
I. Minimum value: n
Maximum value: n
>> Example: min: 20 max: 20 (min = max equates to a range of 1)
II. Minimum value: 0
Maximum value: (2^n) – 1
>> Example: min: 0 max: 63 (n = 6)
III. Minimum value: even number
Maximum value: minimum port number in binary with rightmost consecutive 0‟s replaced with 1‟s using the formula: Port Maximum = ((Port minimum + 2n) -1)) where n equal number of consecutive trailing zero‟s.
>> Example: min: 128 max: 255 ((128 + 27) – 1 = 255; 128 in binary has 7 consecutive trailing zero‟s)
Specified ranges that do not adhere to one of these three rules cannot be supported and will be flagged as erroneous.

Hi Ekram,

I would guess it’s a bug or limitation of the hardware. I would suggest you contact Avaya if you need to know the precise reason.

Cheers!

I am trying to configure QoS based on UDP ports on ERS 5520 SW v6.3.1 using below given command, but its throwing error:
“qos traffic-profile classifier name Test protocol 17 dst-port-min 54600 dst-port-max 54699 update-dscp 46 update-1p 6 block one eval-order 20 committed-rate 10000 committed-burst-size 4 drop-out-action disable update-dscp-out-action 16”

Error: Specified Destination Layer 4 min/max range not supported

Same command is working fine on ERS 4500…..could you please suggest?

do you have any post on inter-VLAN communication restriction in ERS 8800. I want to block all communication between differnt VLANs apart from the server VLAN.

I am new to Nortel/Avaya. I have worked all my life on Cisco & it is pretty easy in Cisco. But, in Nortel, it seems to be too confusing. I tried going through QoS & IP filtering on ERS 8800, but not able to understand much.

if you have any post/blog on that, it will help.

Regards

Rajesh

I have the same problem! There’s no Issues?

You can use an Access Policy on the ERS 8600/8800 series switches.

Thanks

qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.52.5/32
qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.52.4/32
qos ip-acl name hurcoll4250 src-ip 192.168.53.1/32 dst-ip 192.168.2.88/32
qos ip-acl name hurcoll4250 src-ip 192.168.52.5/32 dst-ip 192.168.53.1/32
qos ip-acl name hurcoll4250 src-ip 192.168.52.4/32 dst-ip 192.168.53.1/32
qos ip-acl name hurcoll4250 src-ip 192.168.2.88/32 dst-ip 192.168.53.1/32

qos ip-acl name hurcoll4250 drop-action enable

qos acl-assign port 40 acl-type ip name hurcoll4250

Sorry my previous post is wrong.
I messed up in my test, it’s still not working as expected…

Drunkard,

I had the same problem.
Try adding an L2-ACL in which you specify the arp ethertype (0x0806)

qos l2-acl name “monL2” ethertype 0x0806 drop-action disable
qos l2-acl name “monL2″ drop-action disable

even the L2 ethertype “ignore” doesn’t take arp into account…

It worked for me.

Hi Michael,

I add L2-ACL:
qos l2-acl name “monL2” drop-action disable
qos acl-assign port 3 acl-type l2 name “monL2”
but it didn’t help :(

Best regards.

Hi Drunkard,

It appears you are right… the IP-ACL will only permit IP traffic (Ethertype 0x0800) and blocks ARP (Ethertype 0x0806). I’m not sure if you can attach a L2-ACL to allow ARP. I’m very busy these days but if I have time I’ll try to test it out myself.

Cheers!

ARP Inspection is disabled. NO – my configuration isn’t a factory default configuration … but I don’t configured ARP on the switch! Without a ip-acl: ARP and DHCP working well.
And after: qos acl-assign port 3 acl-type ip name “mon”
stop working, even if a ACL have one rule permit all trafic.

Hi Drunkard,

Those ACLs should only examine IP packets, do you have Dynamic ARP Inspection enabled? Are you testing this from a factory default configuration?

Cheers!

I tried a ip-acl on Nortel 5510:
qos ip-acl name “mon” src-ip 172.16.2.1/32 protocol 6 src-port-min 80 src-port-max 80
qos ip-acl name “mon” src-ip 172.16.2.1/32 protocol 6 src-port-min 3389 src-port-max 3389
qos ip-acl name “mon” drop-action enable set-drop-prec low-drop
qos acl-assign port 3 acl-type ip name “mon”

After it – the PC (172.16.2.1) can’t get a answer for arp-request, and as a result – no traffic …
If add a static ARP record on the PC – all is work and the ip-acl too.

How I can grant a permit for ARP, HDCP and etc. traffic?

Best regards,
Konstantin.

Hi Tim,

You’re probably not running the latest and greatest software release. I believe I did that lab running 6.1.x software.

Good Luck!

Charles Milanya
Nairobi
kenya.

Hi Rhys,

I believe the drop needs to be the last statement in your ACL. If you want to allow other traffic through the filter you need to create a rule in the ACL before your last statement allow that specific traffic.

Cheers!

I am having trouble with ACL’s on the ERS 5000 series switches. I have the following configuration:

qos ip-acl name test src-ip 10.0.0.5/32 dst-ip 10.0.0.100/32 protocol 6 dst-port-min 22 dst-port-max 22 drop action disable

qos ip-acl name test src-ip 10.0.0.5/32 dst-ip 10.0.0.100/32 protocol 17 dst-port-min 161 dst-port-max 161 drop action disable

qos ip-acl name test dst-ip 10.0.0.100/32 drop-action enable

qos ip-acl name test drop-action disable

The above is applied to several ports.

The access list is supposed to allow SSH and SNMP to the switch from a specified range (rules one and two) block any other access to the switch (rule three) and allow any other device to communicate with anything (rule four).
Rules 1-3 seem to work; I can SSH and SNMP to the switch from the specified IP range with no problems, ICMP and telnet are blocked.

I can then contact some devices on the subnet (.20) but not others (.201 and .202)

I have also tried applying rule four using 0.0.0.0/0 as the src and dst but this gives the same result.

Any help would be greatly appreciated

Thanks,

Rhys.

Hi jitendra,

I’m not quite sure I understand… how is the ACL working fine if it’s disrupting communications to/from noes in that VLAN?

Good Luck!