Avaya Support Forums  

Go Back   Avaya Support Forums > Avaya Networking Products

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 10-17-2012, 09:20 AM
creinelt creinelt is offline
Aspiring Member
 
Join Date: Oct 2012
Posts: 2
creinelt has 10 reputation points
Default 5500/5600/7000 Port limiting question

We have all the aforementioned Avaya switches in our network and I'm wondering if it's possible to limit by port number on an interface.

For example, lets say I have a server plugged into interface 1/ 5 on a 5520 and that port is designated to our "server management VLAN" (not VLAN 1) which is to be used only by server admin's to access their servers remotely via RDC on port 3389.

Now I've discovered some admins are using this as a convenient network to transfer updates and large datafiles around between their servers and it's degrading bandwidth for all other servers that are part of the same network.

What I'm hoping to do is say, Interface 1/5 on the 5520 is only allowed to be used by port 3389 (RDC) all other ports are disallowed.

I've been scouring the documentation but am having no luck finding out if this is possible. Does anybody here know if it is?

TIA
Reply With Quote
  #2  
Old 10-22-2012, 10:17 AM
sidneyd sidneyd is offline
Hot Shot
.
 
Join Date: Aug 2012
Posts: 17
sidneyd has 11 reputation points
Default

Your solution here would be to create a Traffic Profile Filter or ACL in which you
a) accept traffic based on L4 criteria - that is port 3389
b) drop all other traffic with this traffic profile/ACL.

Then apply this to the respective ports.
Reply With Quote
  #3  
Old 10-23-2012, 10:49 AM
creinelt creinelt is offline
Aspiring Member
 
Join Date: Oct 2012
Posts: 2
creinelt has 10 reputation points
Default

Quote:
Originally Posted by sidneyd View Post
Your solution here would be to create a Traffic Profile Filter or ACL in which you
a) accept traffic based on L4 criteria - that is port 3389
b) drop all other traffic with this traffic profile/ACL.

Then apply this to the respective ports.
Thanks for the reply and info.

At the risk of sounding stupid, I've looked through the telnet and CLI interfaces on a 5520 and can't find where to do the above.

Would you be so kind as to point me in the right direction.....

TIA

Last edited by creinelt; 10-23-2012 at 10:50 AM. Reason: fixing a typo..
Reply With Quote
  #4  
Old 10-29-2012, 08:49 AM
sidneyd sidneyd is offline
Hot Shot
.
 
Join Date: Aug 2012
Posts: 17
sidneyd has 11 reputation points
Default

If you check in the Quality of Service Quide, this talks about ACLs, Traffic Filters etc. There are also some Technical Configuration Guide which are avaiable about how to setyup QoS which can prove invaluable in understanding the complexities.
Reply With Quote
  #5  
Old 10-16-2013, 07:31 PM
mchaitaniyak mchaitaniyak is offline
Member
.
 
Join Date: Aug 2013
Posts: 3
mchaitaniyak has 10 reputation points
Default Example configuration for IP- based ACL to block all other traffic exept RDP - 3389

Hello creinelt,

Firstly i believe the SW version we have on the ERS 5520 switches is 5.x and above.If it is you can definately consider configuring an Acess Control List (ACL).Which can be applied at port level, in your case on port 1/5 where we have the server connected.

5500 (config)#
qos ip-acl name host src-ip 172.1.1.10/32 protocol 6 src-port-min 3389 src-port-max 3389 update-dscp 18 block tcpcommon

5500 (config)#qos ip-acl name host drop-action enable

5500 (config)#qos acl-assign port 1/5 acl-type ip name host

-> Here we have the ACL name as "host" and i took the liberty to consider the source subnet, from where you might have RDC requests as "172.1.1.10".
-> Protocol 6 is to mention its TCP traffic , as RDP works on TCP 3389.
-> The first two IP-ACL’s are assigned to a block named tcpcommand. Since we
are only allowed up to eight precedence levels, it is a good idea to use block
configuration whenever possible.
-> The third IP-ACL is required to match all other traffic. As the default implicit
action is drop all non-matching traffic, if this command is not entered, all other traffic from 172.1.1.10 would be allowed.

Hope this helps !!!!
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 10:55 PM.

This Forum is provided solely for the use and convenience of Avaya customers and partners. Use of the Forum is subject to the Terms and Use and Privacy Statement found at www.avaya.com. No other use is permitted. The Forum including all content posted is “AS IS” and Avaya expressly disclaims all warranties and/or guarantees as to its accuracy, reliability, usefulness, quality or non-infringement of intellectual property. Avaya reserves the right to remove any content posted on the Forum at any time and for whatever reason.

Avaya will not be liable for any content posted on this Forum, including, without limitation, any errors or omissions or for any losses or damages of any kind incurred as a result of use or reliance on any content, regardless of its origin.

You expressly understand and agree that you assume all risks associated with use or reliance on this content.