• September 21, 2020, 01:56:02 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Avaya ERS 4548 VLAN Question  (Read 3352 times)

0 Members and 1 Guest are viewing this topic.

Offline Caponewgp

  • Rookie
  • **
  • Posts: 4
Avaya ERS 4548 VLAN Question
« on: January 21, 2016, 09:26:26 AM »
We currently have two VLANs across all of our Avaya ERS 4548 switches. One VLAN for our phones and one for our data. Because our computers internet connection goes through are Avaya phones the recommended setup for tagging was UntagPvidOnly with the data VLAN as the PVID. Two of the 4548 switches are responsible for all the routing.  Now we need to create two or three more VLANs and I can get it too work but not really the way I want.

Essentially we need 1 completely private VLAN that we are going to use as a guest VLAN. The problem that I see is even if I assign a port to only the guest VLAN I can still still all the other traffic from the network. I'm assuming this is a port tagging issue. If I turn discardUntaggedframes to "True" I dont see any of the other traffic but I also cant ping other devices that are on the same guest VLAN.

The other VLAN that I need is for a IP camera system. We would like this again to be seperate from all other traffic except the IT computers. I'm running into the same issue as the Private Guest VLAN.

I've really only used the switch webpage to setup the phone and data vlans so I;m most familar with that setup. I've seen on some of the Avaya switches they have specific options for private VLANs but I dont see those settings on the 4548. I'm assuming because we have UntagPvidOnly on every port the data packets are all untagged which is why I can see all the traffic on any private VLAN that I setup. So i'm not sure if this is even possible. Any help or suggestions would be great. Thanks..


Offline Johan Witters

  • Sr. Member
  • ****
  • Posts: 252
    • BKM Networks
Re: Avaya ERS 4548 VLAN Question
« Reply #1 on: January 27, 2016, 02:51:51 AM »
Hi Capone,

for your guest ports you should assign only that vlan to the specified ports, and put those ports in "untagall" mode. In the web interface you assign the vlan in the "vlan" menu, checking the port settings can be done by right clicking the interface and choosing "edit". On the vlan tab you should only see the guest vlan, and tagging as "untagall". That should make sure you only see traffic from that vlan. If you do not want the guest vlan to access or be accessible from other vlans, do not assign an ip address to the vlan, link a router or firewall directly to a port in the guest vlan.

The same goes for the camera vlan, but to make it accessible from the IT-subnet you have 2 scenario's:
1) add an ip address on the camera network. As this will put the network into the routing table, you need to configure ACL's to deny traffic from other vlans towards the camera systems
2) do not configure an ip address on the vlan, instead connect the camera system to the firewall and perform routing on the firewall. Access policies can be configured to allow/deny traffic, which in most cases is far more easy to configure compared to the ACL's on the switch
Kind regards,

Johan Witters

Network Engineer
BKM NV

Offline Caponewgp

  • Rookie
  • **
  • Posts: 4
Re: Avaya ERS 4548 VLAN Question
« Reply #2 on: February 18, 2016, 04:38:18 PM »
Thanks a lot for the response. I've really been trying to figure this out. I wish Avaya had training on this specific model switch available. I would take that In a heart beat.

So your saying it would be better to create the ACLs on our firewall instead of our core layer 3 switch? Letting the firewall do the routing? Right now for our data and voice VLAN the layer 3 switch does all the routing.

So essentially

Data VLAN - VLAN 1 - 192.168.4.0 - Ports 1-18 22-48

Phone VLAN - VLAN 50 - 10.10.51.0 - Ports 1-18 22-48

Every switch port has a default vlan of 1 and is set to untag PVID only.

I've added another VLAN

Guest VLAN - VLAN 70 - No IP configured on l3 switch - Ports 19-21 and trunk port 48 ( Just three ports besides trunk for testing)

Firewall using port 21 for routing and ACLs

Ports 19-21 should have untagall and default VLAN of 70 Port 48 is trunk so tagall
« Last Edit: February 18, 2016, 04:40:07 PM by Caponewgp »

Offline Johan Witters

  • Sr. Member
  • ****
  • Posts: 252
    • BKM Networks
Re: Avaya ERS 4548 VLAN Question
« Reply #3 on: February 18, 2016, 05:40:48 PM »
There used to be a classroom class on ERS switches, but I think it expired. Most of the hardware it covered is EoS by now, so I think it will be replaced by a new course soon, if not already...

Your configuration looks right by me, can't judge on the firewall but should be ok.

It is possible to configure ACL's on the switch, but I find it difficult to maintain and troubleshoot. If you need to add/remove something within the ACL, you have to delete the acl and recreate it with the correct settings..
In a firewall you can just add/remove rules, move the order etc without the need of deleting them all. Also, on most brands you have extended logging, packet capturing, tracing etc..
Kind regards,

Johan Witters

Network Engineer
BKM NV

Offline Caponewgp

  • Rookie
  • **
  • Posts: 4
Re: Avaya ERS 4548 VLAN Question
« Reply #4 on: February 19, 2016, 08:34:50 AM »
This might seem like a stupid question but if traffic is automatically routable between VLANs then is there really any benefit to using VLANs. Does it cut down on broadcast traffic or something? We've talked about creating a separate VLAN for each floor in our building. Would there be any advantage to doing that either security wise or to filter some traffic. I know right now if I run wireshark on my computer I can see traffic from all over our network and even from our phone VLAN.

Also do you happen to know of any resources I can use to help me look at creating ACLs for the switch. It looks like the 4548gt-pwr doesn't support traditional ACLs. I can see the QOS options. I'm more then likely going to use our Cisco Firewall for the routing and ACLs but it might still be good information to have in the future.
« Last Edit: February 19, 2016, 11:42:43 AM by Caponewgp »

Offline Johan Witters

  • Sr. Member
  • ****
  • Posts: 252
    • BKM Networks
Re: Avaya ERS 4548 VLAN Question
« Reply #5 on: February 22, 2016, 05:59:37 AM »
The main advantage is to limit the size of your broadcast domain, and to isolate data to the ports where is needed.. Your pc doesn't want to see all broadcasts from your voice-network etc..

I have no idea if there are tools to configure the acl's with, you can do some work within the EDM when using QoS. Perhaps with the identity engine, but I don't have experience with that...
Kind regards,

Johan Witters

Network Engineer
BKM NV