Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Occasional Contributor II

Layer 3/core switches and traffic restrictions

I have a bit of a generic question to the community in regards to Aruba's layer 3 switching solutions.

 

I am predominately a VoIP engineer but working with a campus networking team who use mostly HP Aruba internally for switching.

 

I am investigating an issue where traffic on port 5060 UDP is being blocked all of a sudden and I am pretty certain the un-mentioned firewalls in the attached diagram has closed the port since a Wireshark capture pretty much confirms this - I do however want to rule out the L3 switch.

 

A change to TCP for port 5060 SIP signalling fixes the issue, but that is not the point.

 

What I want to confirm is - there is a layer 3 Aruba core switch between one end of the VPN connection and the PBX - I have a fair bit of expereience and knowledge with L2 switching for VoIP but not so much L3/Core - so this is my question:

 

Since the switch is layer 3 it has routing capabilities, but does it also have the means to block certain traffic types ? this guide here although outdated (Lync is pretty old now) suggests some sorts of ACL's are required: https://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Content/ArubaFrameStyles/Voice_Video/Extended_Voice_and_Video.htm

 

Any advise or even command line configuration would be appreciated.


Accepted Solutions
Highlighted

Re: Layer 3/core switches and traffic restrictions

Yes, ACLs can be used to block traffic at layer 4 (port numbers). In addition, you can specific protocol (IP/TCP/UDP) along port number to be blocked.

 

The syntax will be something like:

ip access-list extended block_port
deny tcp any any eq port#
deny udp any any eq port#

 

Lets assume your VLAN of interest is 100 and you want to block all incoming traffic for a specific port on that VLAN:
vlan 100 ip access-group block_port in

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.

View solution in original post


All Replies
Highlighted

Re: Layer 3/core switches and traffic restrictions

Yes, ACLs can be used to block traffic at layer 4 (port numbers). In addition, you can specific protocol (IP/TCP/UDP) along port number to be blocked.

 

The syntax will be something like:

ip access-list extended block_port
deny tcp any any eq port#
deny udp any any eq port#

 

Lets assume your VLAN of interest is 100 and you want to block all incoming traffic for a specific port on that VLAN:
vlan 100 ip access-group block_port in

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.

View solution in original post