5500/5600/7000 Port limiting question

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • creinelt
    Aspiring Member
    • Oct 2012
    • 2
    #1

    5500/5600/7000 Port limiting question

    We have all the aforementioned Avaya switches in our network and I'm wondering if it's possible to limit by port number on an interface.

    For example, lets say I have a server plugged into interface 1/ 5 on a 5520 and that port is designated to our "server management VLAN" (not VLAN 1) which is to be used only by server admin's to access their servers remotely via RDC on port 3389.

    Now I've discovered some admins are using this as a convenient network to transfer updates and large datafiles around between their servers and it's degrading bandwidth for all other servers that are part of the same network.

    What I'm hoping to do is say, Interface 1/5 on the 5520 is only allowed to be used by port 3389 (RDC) all other ports are disallowed.

    I've been scouring the documentation but am having no luck finding out if this is possible. Does anybody here know if it is?

    TIA
    Tags: None
  • sidneyd
    Hot Shot
    .
    • Aug 2012
    • 17
    #2
    Your solution here would be to create a Traffic Profile Filter or ACL in which you
    a) accept traffic based on L4 criteria - that is port 3389
    b) drop all other traffic with this traffic profile/ACL.

    Then apply this to the respective ports.

    Comment

    • creinelt
      Aspiring Member
      • Oct 2012
      • 2
      #3
      Originally posted by sidneyd View Post
      Your solution here would be to create a Traffic Profile Filter or ACL in which you
      a) accept traffic based on L4 criteria - that is port 3389
      b) drop all other traffic with this traffic profile/ACL.

      Then apply this to the respective ports.
      Thanks for the reply and info.

      At the risk of sounding stupid, I've looked through the telnet and CLI interfaces on a 5520 and can't find where to do the above.

      Would you be so kind as to point me in the right direction.....

      TIA
      Last edited by creinelt; 10-23-2012, 10:50 AM. Reason: fixing a typo..

      Comment

      • sidneyd
        Hot Shot
        .
        • Aug 2012
        • 17
        #4
        If you check in the Quality of Service Quide, this talks about ACLs, Traffic Filters etc. There are also some Technical Configuration Guide which are avaiable about how to setyup QoS which can prove invaluable in understanding the complexities.

        Comment

        • mchaitaniyak
          Member
          .
          • Aug 2013
          • 3
          #5
          Example configuration for IP- based ACL to block all other traffic exept RDP - 3389

          Hello creinelt,

          Firstly i believe the SW version we have on the ERS 5520 switches is 5.x and above.If it is you can definately consider configuring an Acess Control List (ACL).Which can be applied at port level, in your case on port 1/5 where we have the server connected.

          5500 (config)#
          qos ip-acl name host src-ip 172.1.1.10/32 protocol 6 src-port-min 3389 src-port-max 3389 update-dscp 18 block tcpcommon

          5500 (config)#qos ip-acl name host drop-action enable

          5500 (config)#qos acl-assign port 1/5 acl-type ip name host

          -> Here we have the ACL name as "host" and i took the liberty to consider the source subnet, from where you might have RDC requests as "172.1.1.10".
          -> Protocol 6 is to mention its TCP traffic , as RDP works on TCP 3389.
          -> The first two IP-ACL’s are assigned to a block named tcpcommand. Since we
          are only allowed up to eight precedence levels, it is a good idea to use block
          configuration whenever possible.
          -> The third IP-ACL is required to match all other traffic. As the default implicit
          action is drop all non-matching traffic, if this command is not entered, all other traffic from 172.1.1.10 would be allowed.

          Hope this helps !!!!

          Comment

          Previous template Next
          Loading