Avaya Support Forums  

Go Back   Avaya Support Forums > Avaya Networking Products

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 05-30-2014, 10:31 AM
whitt26 whitt26 is offline
Member
 
Join Date: May 2014
Posts: 3
whitt26 has 10 reputation points
Default Implementing an ACL on ERS 8600 using CLI

Hello all! First post... Let's see how this goes. Anyway, I am trying to implement an ACL filter to ensure that my VLAN that is supposed to only be printer traffic is restricted from accessing the internet and only allowed to talk to local devices using specific protocols. I'm rather new to the 8600s, so bear with me. Here's what I got so far:


1. Create the ACT:
config filter act 80 create name DSTIP_PROTOCOL
config filter act 80 protocol tcpSrcPort,udpSrcPort,tcpDstPort,udpDstPort
config filter act 80 ip dstIp
config filter act 80 apply

2: Create the ACL:
filter acl 80 create inVlan act 80 pktType ipv4 name "INGRESS_VLAN_80"
filter acl 80 vlan add 80

3. Create the ACE:
filter acl 80 ace 1 create name "DENY_EXT_ACCESS"
filter acl 80 ace 1 deny stop-onmatch true
filter acl 80 ace 1 ip dst-ip ne XXX.XXX.0.0-XXX.XXX.255.255
filter acl 80 ace 1 enable
filter acl 80 ace 2 create name "ALLOW_PRINTER_PROTOCOLS"
filter acl 80 ace 2 action permit stop-onmatch true
filter acl 80 ace 2 protocol tcp-src-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol tcp-dst-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol udp-src-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 protocol udp-dst-port eq 161,515,631,1782,9100-9102
filter acl 80 ace 2 enable


Am I on the right track? Is there a deny by default at the end of permit ACEs? Also, is there a way to throw a syslog trap when this ACL is violated? I'm not too worried about the protocols, I have the client systems guys tracking down and port that they need allowed.

Any help would be greatly appreciated.

Edit: I guess I should mention that I am running 7.1.3 and have the RS modules. I just noticed that the VLAN filtering is only compatible with the R/RS modules.
"The Ethernet Routing Switch 8800/8600 software provides some configuration guidelines. For example, when you add virtual local area networks (VLAN) to an ACL, a message indicates the filters apply only to the R, RS, or 8800 module port members of that VLAN."

Last edited by whitt26; 05-30-2014 at 01:04 PM. Reason: More information
Reply With Quote
Reply

Tags
acl, cli, ers 8600, filter, filtering

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 12:27 AM.

This Forum is provided solely for the use and convenience of Avaya customers and partners. Use of the Forum is subject to the Terms and Use and Privacy Statement found at www.avaya.com. No other use is permitted. The Forum including all content posted is “AS IS” and Avaya expressly disclaims all warranties and/or guarantees as to its accuracy, reliability, usefulness, quality or non-infringement of intellectual property. Avaya reserves the right to remove any content posted on the Forum at any time and for whatever reason.

Avaya will not be liable for any content posted on this Forum, including, without limitation, any errors or omissions or for any losses or damages of any kind incurred as a result of use or reliance on any content, regardless of its origin.

You expressly understand and agree that you assume all risks associated with use or reliance on this content.