QoS ACL Avaya problem



  • Sorry if I'm posting in the wrong forum--but I've got an Avaya ERS 4548 L3 switch as my "core" router and I'm having an issue I can't figure out.

    I'm trying to segment my IoT devices (vlan 112, port 26) from the rest of my network, but this particular build of Avaya switch does not have traditional ACLs, you have to implement them with QoS. My current setup is as follows:

    ! *** QOS ***
    !
    qos ip-acl name deny src-ip 10.101.112.0/24 dst-ip 10.101.48.0/24 drop-action e
    nable
    qos ip-acl name deny src-ip 10.101.112.0/24 drop-action disable
    qos ip-acl name deny dst-ip 255.255.255.255/32 drop-action disable
    qos ip-acl name deny ds-field 46 drop-action enable
    

    Basically, for right now, I'm trying to block vlan 112 off from 48, while still allowing it on my management vlan (252) for testing purposes. And I can get it to work consistently, it will ping other devices on my management vlan and even ping out, but after either waiting an hour or reloading the switch, anything on port 26 in vlan 112 will stop talking to pfsense--and only pfsense--entirely. I can ping other devices on 252, and devices on 112 but on other ports will ping out no problem, it's just any device with that QoS policy applied.

    I have a trunked "cisco" edge switch with traditional extended ACLs implemented, works like a dream. I think it may have to do with the DSCP implementation on the Avaya, but that's out of my depth, I haven't done granular work with QoS like this before. I've tried setting up traffic shaping in pfsense and tagging the traffic out with a dscp classifier that pfsense documentation sez it can understand, but no dice.

    Anyone run into something like this before?

    Thank you in advance for your time!


Log in to reply