ERS5000: Issue with ACL implementation (One way communication between VLANs not allowed)

Doc ID    SOLN233805
Version:    1.0
Status:    Published
Published date:    26 Jul 2013
Author:   
sharma68
 

Details

ERS5000: Customer reported that they are facing some issues while implementing ACL in a VLAN scenario which allows only one way communication (VlanX to VlanY: Allowed and VlanY to Vlan X: Blocked).

Problem Clarification

Complete Scenario:
Four Vlans (VLAN1-VLAN4)
VLAN2 (192.168.2.1) Ports#6-9, User#1 (192.168.2.10) Port#9
VLAN2 (192.168.4.1) Ports#16-20, User#1 (192.168.4.10) Port#19

Requirement:
Communication from VLAN2 to VLAN4 : Allowed
Communication from VLAN4 to VLAN2: Blocked
All other communications: Allowed

ACL Config done in lab:

qos ip-acl name testacl src-ip 192.168.4.0/24 dst-ip 192.168.2.0/24 drop-action enable set-drop-prec low-drop
qos ip-acl name testacl src-ip 192.168.2.0/24 dst-ip 192.168.4.0/24 drop-action disable set-drop-prec low-drop
qos ip-acl name testacl drop-action disable set-drop-prec low-drop
qos acl-assign port 1/16 acl-type ip name testacl
qos acl-assign port 1/17 acl-type ip name testacl
qos acl-assign port 1/18 acl-type ip name testacl
qos acl-assign port 1/19 acl-type ip name testacl
qos acl-assign port 1/20 acl-type ip name testacl


Results Acheived:
Ping from 192.168.4.10 to 192.168.2.1 (Vlan 2 interface): Unreachable (Expected)
Ping from 192.168.4.10 to 192.168.2.10 (Vlan 2 user): Unreachable (Expected)
Ping from 192.168.2.10 to 192.168.4.1 (Vlan 4 Interface): Reachable (Expected)
Ping from 192.168.2.10 to 192.168.4.10 (Vlan 4 User): Unreachable (Unexpected)

Cause

Product Limitation: All the Stackable Ethernet Routing Switches do not allow ONE WAY COMMUNICATION between two VLANS and they dont keep track of the sessions.

Complete Explanation:

Access Control Lists (ACLs) are designed to look at packets and perform an action based on the configuration. The configured action is triggered at the ingress level looking at src/dst protocol. Once you create a filter to block communication from Vlan4 to Vlan2, you are going to drop all return traffic to Vlan2 coming from Vlan4. This essentially means that, your requirement to allow communication from Vlan2 to Vlan4 while blocking the reverse communication will no longer work after the implementation of the ACL ( since the return traffic will be dropped).

The reason for this is, our switches are L2/L3 switches – they do not keep track of sessions and hence this could not be achieved by implementing ACL on ERS5xxx. This type of requirement could be achieved by firewall type of devices.

Solution

To implement this scnario in network the customer might have to use other external devices like Firewalls.

Later customer requested the configuration of the following scenario, which was provided with lab results.

New Scenario:8 VLANs (1-8) and we want to achieve the following results:

• Communication between Vlan3 and VLan8: Allowed
• Communication between Vlan3 and any other Vlan (1,2,4,5,6,7): Blocked
• Communication between all other Vlans (Except Vlan3): Allowed.


ACL Configuration:
qos ip-acl name testacl src-ip 192.168.1.0/24 dst-ip 192.168.3.0/24 drop-action enable set-drop-prec low-drop

qos ip-acl name testacl src-ip 192.168.2.0/24 dst-ip 192.168.3.0/24 drop-action enable set-drop-prec low-drop

qos ip-acl name testacl src-ip 192.168.4.0/24 dst-ip 192.168.3.0/24 drop-action enable set-drop-prec low-drop

qos ip-acl name testacl src-ip 192.168.5.0/24 dst-ip 192.168.3.0/24 drop-action enable set-drop-prec low-drop

qos ip-acl name testacl src-ip 192.168.6.0/24 dst-ip 192.168.3.0/24 drop-action enable set-drop-prec low-drop

qos ip-acl name testacl src-ip 192.168.7.0/24 dst-ip 192.168.3.0/24 drop-action enable set-drop-prec low-drop

qos ip-acl name testacl src-ip 192.168.8.0/24 dst-ip 192.168.3.0/24 drop-action disable set-drop-prec low-drop

qos ip-acl name testacl src-ip 192.168.3.0/24 dst-ip 192.168.8.0/24 drop-action disable set-drop-prec low-drop

qos ip-acl name testacl drop-action disable set-drop-prec low-drop

qos acl-assign port 1/1-1/24 acl-type ip name testacl

------------------------------------

Important Note: We cannot implement the new scenario (The one which comprises of 8 Vlans) on the ERS4500 due to inadequate resources available with this switch model. To block 6 Vlans (1,2,4,5,6 and 7) on Vlan3 we need to define QoS precedences and on ERS4000 the available precedences for application policies are exceeded.

The number of IP or L2 classifier elements you can apply to a port depends on the number of available QoS precedences that are not being utilized by other applications that also utilize QoS precedences. Other applications that utilize QoS precedences on the ERS 4000 include ARP, DHCP, UDP Forwarding, MAC Security, and Port Mirroring. On the ERS 4000, by default, four out of the eight QoS precedences are reserved for ARP, DHCP, and two default QoS policies (UntrustedClfrs1 and UntrustedClfrs2), leaving only four QoS precedences available.

So we cannot use only ACL to achieve the required scenario, we might achieve the result by mixing and matching ACL and classifiers, but that would be very untidy. I have tested the same and every time you assign these 6 rules to a port, following error appears on the console:

% Cannot modify settings
% Inadequate resources available for application policy criteria

Hence, it is recommend to use ERS5000, as it has 16 QOS precendences out of which 15 are user configurable.


Avaya -- Proprietary. Use pursuant to the terms of your signed agreement or Avaya policy