AVAYA ERS IP blocking

Hello,
I am trying to block IP traffic from one network to another network on an AVAYA ERS 4526GTX-PWR switch. I have static routes to enable vlan routing between buildings but need to block traffic 192.168.2.0/24 to 192.168.1.0/24 on a specific port.
I read some AVAYA guides and constructed these commands:

qos ip-acl name "block" src-ip 192.168.2.0/24 dst-ip 192.168.1.0/24 drop-action disable
qos acl-assign port 14 acl-type ip name "block"

However, I can still ping across networks on this port.
MilanDeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
What are results of
#show qos acl
#show qos ip-acl
MilanDeAuthor Commented:
Hi Predrag,

The commands output:

sh qos acl-assign
 Id               Name              State   ACL  Unit/Port Storage
                                            Type             Type
_____ ____________________________ ________ ____ _________ ________
1     block                        Enabled  IP   1/14      NonVol

Open in new window


Port 14 is the port has a wireless router connected which is the network (195.168.2.0) I am trying to block traffic from to 192.168.1.0.

show qos ip-acl

Id: 1
Name: block
Block:
Address Type: IPv4
Destination Addr/Mask: 192.168.1.0/24
Source Addr/Mask: 192.168.2.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Open in new window

JustInCaseCommented:
qos ip-acl name "block" src-ip 192.168.2.0/24 dst-ip 192.168.1.0/24 drop-action disable
qos acl-assign port 14 acl-type ip name "block"
This resulted in attaching ip access list to port 1/14 and
Action Drop: No
I guess that you need to change drop-action disable to drop-action enable.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

MilanDeAuthor Commented:
Thank Predrag,

I did try that. However, if I change the drop action to enable it blocks all traffic going to port 14, even traffic on the same 192.168.2.0/24 network.
JustInCaseCommented:
I guess that Avaya has implicit - deny any any at the end of acl, so I guess that you may need to add second statement to your acl
(config)#qos ip-acl name "block" drop-action disable
to permit all other traffic.
MilanDeAuthor Commented:
I think I understand. So I would need to apply both acl's to port 14?
JustInCaseCommented:
Not both. Just to add another statement to qos ip-acl
 :)

qos ip-acl name "block" src-ip 192.168.2.0/24 dst-ip 192.168.1.0/24 drop-action enable
qos ip-acl name "block" drop-action disable
qos acl-assign port 14 acl-type ip name "block"
MilanDeAuthor Commented:
Ok, I see:

Id: 1
Name: block
Block:
Address Type: IPv4
Destination Addr/Mask: 192.168.1.0/24
Source Addr/Mask: 192.168.2.0/24
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: Yes
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Id: 2
Name: block
Block:
Address Type: IPv4
Destination Addr/Mask: Ignore
Source Addr/Mask: Ignore
DSCP: Ignore
IPv4 Protocol / IPv6 Next Header: Ignore
Destination L4 Port Min: Ignore
Destination L4 Port Max: Ignore
Source L4 Port Min: Ignore
Source L4 Port Max: Ignore
IPv6 Flow Id: Ignore
Action Drop: No
Action Update DSCP: Ignore
Action Update 802.1p Priority: Ignore
Action Set Drop Precedence: Low Drop
Type: Access List
Storage Type: NonVolatile

Open in new window


 Id               Name              State   ACL  Unit/Port Storage
                                            Type             Type
_____ ____________________________ ________ ____ _________ ________
1     block                        Enabled  IP   1/14      NonVol

Open in new window


I am still unable to ping that port from the same network. It looks like it hasn't assigned the second acl statement.
MilanDeAuthor Commented:
Looking at this AVAYA document, section 7.1.4 it would suggest that we don't apply the blocking acl on a specific port but do apply the allow acl on the specific port?
JustInCaseCommented:
Documentation QoS for 4500 series - page 48.
If you first specify what you allow the rest will be blocked.

Second action may not be match for ping you are trying, but it is listed as second statement, so it is active.
Try add this one as first acl statement

qos ip-acl name "block" protocol 1 action-drop disable
qos ip-acl name "block" src-ip 192.168.2.0/24 dst-ip 192.168.1.0/24 drop-action enable
qos ip-acl name "block" drop-action disable

qos acl-assign port 14 acl-type ip name "block"

That should match ping before second statement (all networks - if you want you can specify src-ip dest-ip), but it should be firsta statement to allow ping. You can test - try to set only ping as allowed traffic and play around a little with that. To check does ping works, that should be a good start. This should allow ping and block all other traffic.

qos ip-acl name "block" protocol 1 action-drop disable
qos ip-acl name "block" drop-action enable
qos acl-assign port 14 acl-type ip name "block"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JustInCaseCommented:
MilanDeAuthor Commented:
Hi Predrag,

No joy I'm afraid. Apply the those commands blocks outgoing traffic to the same LAN.
JustInCaseCommented:
So, I guess you can create statement that will permit traffic from that vlan to any destination.
qos ip-acl name "block" src-ip 192.168.1.0/24 drop-action disable
Add that statement top (as acl first statement), this should permit all IPv4 traffic from 192.168.1.0 to any network
MilanDeAuthor Commented:
I managed to get it working with the following:

qos ip-acl name "block" protocol 1 drop-action disable
qos ip-acl name "block" src-ip 192.168.2.0/24 dst-ip 192.168.2.0/24 drop-action disable
qos ip-acl name "block" src-ip 192.168.2.0/24 dst-ip 192.168.1.0/24 drop-action enable
qos ip-acl name "block" drop-action disable

Open in new window


Thanks for all your help.
Matt
JustInCaseCommented:
Nice, you're welcome. :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.