• November 24, 2020, 10:27:05 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Blocking Traffic between vlans on Nortel 5520  (Read 1583 times)

0 Members and 1 Guest are viewing this topic.

Offline rkfrenzy

  • Rookie
  • **
  • Posts: 1
Blocking Traffic between vlans on Nortel 5520
« on: August 01, 2015, 10:58:34 AM »
Hi,

I'm working on setting up a new network at one of my sites. I'm using 10.3.0.0/16 as the network space for this site. I have broken that up into several /24's to use as my various networks within the site. I will be providing guest wifi access at this site and need help setting up the acls on the 5520 to support this.

My guest vlan is id #32 and uses the ip space 10.3.2.0/24. I have ip routing enabled on the Nortel 5520 and it works beautifully routing all traffic between my vlans. My gateway router is located at 192.168.255.1 and is the default route on the Nortel 5520 so all traffic that needs to hit the internet goes there. My DHCP/DNS server is located at 10.3.6.2. I have DHCP relay running to allow that one server to service all of my networks.

I've tried following the directions from the configuration guide but have not gotten it working. What I'm trying to do is allow the network at 10.3.2.0/24 to have access to anything on it's own network, the internet router (located at 192.168.255.1), and the dhcp/dns server located at 10.3.6.2. i would also like to not restrict any of the traffic on the rest of my vlans.

Here's the commands I'm running to set up the ACLS:

qos ip-acl name guest-net-acl src-ip 10.3.2.0/24 dst-ip 10.3.6.2/32 protocol 17 dst-port-min 53 dst-port-max 53
qos ip-acl name guest-net-acl src-ip 10.3.2.0/24 dst-ip 10.3.6.2/32 protocol 17 dst-port-min 67 dst-port-max 67
qos ip-acl name guest-net-acl src-ip 10.3.2.0/24 dst-ip 10.3.6.2/32 protocol 17 dst-port-min 68 dst-port-max 68
qos ip-acl name guest-net-acl src-ip 10.3.2.0/24 dst-ip 10.3.2.0/24
qos ip-acl name guest-net-acl src-ip 10.3.2.0/24 dst-ip 192.168.255.0/30
qos ip-acl name allow-all-acl src-ip
qos ip-acl name allow-all-acl drop-action disable
qos acl-assign port 24 acl-type ip name guest-net-acl
qos acl-assign port 24 acl-type ip name allow-all-acl

Port 24 is currently connected to my access point which is managed by a Meru controller. It is configured to simply take the SSID the user connects to and drop them onto the specified vlan (no routing).

Here's what happens:
When I enable those rules, all of my wireless devices (regardless of the network they are on) can no longer access any resources. They are unable to get an IP address from DHCP, cannot query the dns server and don't have access to the internet.

What am I doing wrong? I'll be happy to share as much of my config is necessary to fix this.

Thanks in advance!