Avaya Support Forums

Avaya Support Forums (http://support.avaya.com/forums/index.php)
-   Avaya Networking Products (http://support.avaya.com/forums/forumdisplay.php?f=25)
-   -   5500/5600/7000 Port limiting question (http://support.avaya.com/forums/showthread.php?t=2198)

creinelt 10-17-2012 09:20 AM

5500/5600/7000 Port limiting question
 
We have all the aforementioned Avaya switches in our network and I'm wondering if it's possible to limit by port number on an interface.

For example, lets say I have a server plugged into interface 1/ 5 on a 5520 and that port is designated to our "server management VLAN" (not VLAN 1) which is to be used only by server admin's to access their servers remotely via RDC on port 3389.

Now I've discovered some admins are using this as a convenient network to transfer updates and large datafiles around between their servers and it's degrading bandwidth for all other servers that are part of the same network.

What I'm hoping to do is say, Interface 1/5 on the 5520 is only allowed to be used by port 3389 (RDC) all other ports are disallowed.

I've been scouring the documentation but am having no luck finding out if this is possible. Does anybody here know if it is?

TIA

sidneyd 10-22-2012 10:17 AM

Your solution here would be to create a Traffic Profile Filter or ACL in which you
a) accept traffic based on L4 criteria - that is port 3389
b) drop all other traffic with this traffic profile/ACL.

Then apply this to the respective ports.

creinelt 10-23-2012 10:49 AM

Quote:

Originally Posted by sidneyd (Post 5807)
Your solution here would be to create a Traffic Profile Filter or ACL in which you
a) accept traffic based on L4 criteria - that is port 3389
b) drop all other traffic with this traffic profile/ACL.

Then apply this to the respective ports.

Thanks for the reply and info.

At the risk of sounding stupid, I've looked through the telnet and CLI interfaces on a 5520 and can't find where to do the above.

Would you be so kind as to point me in the right direction.....

TIA

sidneyd 10-29-2012 08:49 AM

If you check in the Quality of Service Quide, this talks about ACLs, Traffic Filters etc. There are also some Technical Configuration Guide which are avaiable about how to setyup QoS which can prove invaluable in understanding the complexities.

mchaitaniyak 10-16-2013 07:31 PM

Example configuration for IP- based ACL to block all other traffic exept RDP - 3389
 
Hello creinelt,

Firstly i believe the SW version we have on the ERS 5520 switches is 5.x and above.If it is you can definately consider configuring an Acess Control List (ACL).Which can be applied at port level, in your case on port 1/5 where we have the server connected.

5500 (config)#
qos ip-acl name host src-ip 172.1.1.10/32 protocol 6 src-port-min 3389 src-port-max 3389 update-dscp 18 block tcpcommon

5500 (config)#qos ip-acl name host drop-action enable

5500 (config)#qos acl-assign port 1/5 acl-type ip name host

-> Here we have the ACL name as "host" and i took the liberty to consider the source subnet, from where you might have RDC requests as "172.1.1.10".
-> Protocol 6 is to mention its TCP traffic , as RDP works on TCP 3389.
-> The first two IP-ACL’s are assigned to a block named tcpcommand. Since we
are only allowed up to eight precedence levels, it is a good idea to use block
configuration whenever possible.
-> The third IP-ACL is required to match all other traffic. As the default implicit
action is drop all non-matching traffic, if this command is not entered, all other traffic from 172.1.1.10 would be allowed.

Hope this helps !!!!


All times are GMT -7. The time now is 02:31 AM.