There have been a few recent comments on the blog and a few questions on the discussion forum around how ACLs (traffic filters) work on the Ethernet Routing Switch 5520. I thought I would take a few minutes to dive into the subject and perhaps either answer some of those questions or foster some additional discussion. Let me get right to the most popular question.
Is the Ethernet Routing Switch 5510/5520/5530 capable of performing basic IP filtering? Yes.
Prior to software release 5.0 you had to-do all filtering in QoS policies. It seems a lot of confusion comes from the fact that in order to perform IP filtering similar to an ACL in a Cisco router you had to create a QoS policy. With the release of 5.0 software you can now create fairly straight forward ACLs. You can only do this from the CLI or WEB interface, there’s no support for ACLs in Java Device Manager.
Let me walk you through a simple example.
I started with a ERS-5520-PwR and factory reset the switch I gave it a management IP address of 192.168.1.50 (VLAN 1);
5520-48T-PWR(config)#ip address switch 192.168.1.50 5520-48T-PWR(config)#ip default-gateway 192.168.1.1 5520-48T-PWR(config)#ip address netmask 255.255.255.0
I created VLAN 100 and moved ports 13-48 to VLAN 100 making sure to set the PVID;
5520-48T-PWR(config)#vlan members remove 1 13-48 5520-48T-PWR(config)#vlan create 100 type port 5520-48T-PWR(config)#vlan members add 100 14-48 5520-48T-PWR(config)#vlan ports 13-48 pvid 100
I enabled IP routing on the switch (remember out of the box it’s just a Layer 2 switch);
5520-48T-PWR(config)#ip routing
I enabled IP routing for VLAN 1 and then gave VLAN 100 an IP address/interface;
5520-48T-PWR(config)#interface vlan 1 5520-48T-PWR(config-if)#ip routing 5520-48T-PWR(config)#exit 5520-48T-PWR(config)#interface vlan 100 5520-48T-PWR(config-if)#ip address 192.168.100.1 255.255.255.0 2 5520-48T-PWR(config-if)#ip routing 5520-48T-PWR(config)#exit
Let’s just making sure that everything looks right before we get the real meat of this post;
5520-48T-PWR#show vlan ip ============================================================================== Vid ifIndex Address Mask MacAddress Offset Routing ============================================================================== Primary Interfaces ------------------------------------------------------------------------------ 1 10001 192.168.1.50 255.255.255.0 00:1F:0A:CE:XX:40 1 Enabled 100 10100 192.168.100.1 255.255.255.0 00:1F:0A:CE:XX:41 2 Enabled ------------------------------------------------------------------------------ % Total of Primary Interfaces: 2
The two IP interfaces are configured properly and have routing enabled. Let’s make sure that the routing table is correct;
5520-48T-PWR#show ip route
===============================================================================
Ip Route
===============================================================================
DST MASK NEXT COST VLAN PORT PROT TYPE PRF
-------------------------------------------------------------------------------
0.0.0.0 0.0.0.0 192.168.1.1 10 1 1 S IB 5
192.168.1.0 255.255.255.0 192.168.1.50 1 1 ---- C DB 0
192.168.100.0 255.255.255.0 192.168.100.1 1 100 ---- C DB 0
Total Routes: 3
-------------------------------------------------------------------------------
TYPE Legend:
I=Indirect Route, D=Direct Route, A=Alternative Route, B=Best Route, E=Ecmp Route, U=Unresolved Route, N=Not in HWHere’s where the real work starts. I created an ACL named “testacl” and then assigned it to port 23.
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80 5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable 5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl
In the statements above I created an ACL that will allow traffic sourced from 192.168.100.0/24 to a destination TCP port of 80 to pass unrestricted while blocking (dropping) all other traffic. I’ve assigned that ACL to port 23 where I have a test PC connected to the switch.
Let’s just pretend that you forgot to allow DNS (UDP/53) queries in your IP filter so let’s back out the ACL and recreate it.
First we need to determine the ACL number that was assigned to our ACL called “testacl”. We can do that by issuing the following command;
5520-48T-PWR#show qos acl Id Name State ACL Unit/Port Storage Type Type _____ ____________________________ ________ ____ _________ ________ 1 testacl Enabled IP 1/23 NonVol
We also need to know how many rules are in the IP ACL that’s being referenced above. We can do that with the following command;
5520-48T-PWR#show qos ip-acl Id: 1 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: TCP Destination L4 Port Min: 80 Destination L4 Port Max: 80 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 2 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: Ignore DSCP: Ignore IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: Yes Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile
Now we can remove the ACL from port 23 and then delete it from the switch;
5520-48T-PWR(config)#no qos acl-assign 1 5520-48T-PWR(config)#no qos ip-acl 2 5520-48T-PWR(config)#no qos ip-acl 1
Now we’ll rebuild the ACL allowing DNS queries to the broadband router;
5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 protocol 6 dst-port-min 80 dst-port-max 80 5520-48T-PWR(config)#qos ip-acl name testacl src-ip 192.168.100.0/24 dst-ip 192.168.1.1/32 protocol 17 dst-port-min 53 dst-port-max 53 5520-48T-PWR(config)#qos ip-acl name testacl drop-action enable 5520-48T-PWR(config)#qos acl-assign port 23 acl-type ip name testacl
Now that we have our filter let’s see what it looks like (I’m not a fan of this output format);
5520-48T-PWR#show qos ip-acl Id: 1 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: TCP Destination L4 Port Min: 80 Destination L4 Port Max: 80 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 2 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: 192.168.1.1/32 Source Addr/Mask: 192.168.100.0/24 DSCP: Ignore IPv4 Protocol / IPv6 Next Header: UDP Destination L4 Port Min: 53 Destination L4 Port Max: 53 Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: No Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile Id: 3 Name: testacl Block: Address Type: IPv4 Destination Addr/Mask: Ignore Source Addr/Mask: Ignore DSCP: Ignore IPv4 Protocol / IPv6 Next Header: Ignore Destination L4 Port Min: Ignore Destination L4 Port Max: Ignore Source L4 Port Min: Ignore Source L4 Port Max: Ignore IPv6 Flow Id: Ignore Action Drop: Yes Action Update DSCP: Ignore Action Update 802.1p Priority: Ignore Action Set Drop Precedence: Low Drop Type: Access List Storage Type: NonVolatile
That’s a basic ACL filter using Layer 3 parameters. There is a Technical Configuration Guide available from Nortel/Avaya that provides additional examples and covers Filtering and QoS configuration of the Ethernet Routing Switch 5500 series switches. The guide is a little dated by still a very useful resource in my opinion.
Cheers!