This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS 22.7.x.x - ACL Preventing Layer 2 Communication between clients in the same subnet.

EXOS 22.7.x.x - ACL Preventing Layer 2 Communication between clients in the same subnet.

Go to solution
RobertWilkinson
New Contributor III

‎02-10-2021 12:10 PM

Anyone else got an issue with clients communicating with each other on the same subnet if deploying an ACL Policy on egress of a VLAN.

In Cisco world a normal RFC1918 ACL Egressing the VLAN is sufficient for a guest network, clients can still communicate with each other but this can be additionally adjusted with an ACL.

 

It seems in EXOS as soon as you define an ACL it enables a type of Client Isolation and the only way around this would be to specifically allow client  to client config via an additional rule to allow egress traffic of the whole subnet.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
RobertWilkinson
New Contributor III

‎03-29-2021 04:22 PM

Turns out it works on Ingress on the VLAN, Cisco and Enterasys is the opposite way. All sorted now.

 

Still have to have an entry that has the L2 subnet as a source and destination to allow clients to reach each other but not a major issue, just not usual behavior for other vendor ACL’s.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
RobertWilkinson
New Contributor III

‎03-29-2021 04:22 PM

Turns out it works on Ingress on the VLAN, Cisco and Enterasys is the opposite way. All sorted now.

 

Still have to have an entry that has the L2 subnet as a source and destination to allow clients to reach each other but not a major issue, just not usual behavior for other vendor ACL’s.

0 Kudos

Go to solution
RobertWilkinson
New Contributor III

‎02-10-2021 02:52 PM

@Stefan K. 

 

Something like this;

entry 1 {
if match all {
destination-address 10.0.0.0/8 ;
}
then {
deny ;
count deny ;
}
}
entry 2 {
if match all {
destination-address 172.16.0.0/12 ;
}
then {
deny ;
count deny ;
}
}
entry 3 {
if match all {
destination-address 192.168.0.0/16 ;
}
then {
deny ;
count deny ;
 

Applied to a VLAN on Egress, lets say VLAN100, if i have two clients configured on the same switch that is doing the L3 they cannot communicate with each other…. i’ve never had this with Cisco\HP\Dell.

 

The only way i can then get it to work is with an additional entry of;

if match all {
source-address 192.168.1.0/24 ;
destination-address 192.168.1.0/24 ;
}
then {
permit ;
}
}

 

Having the an ACL blocking access to the RFC1918 subnets also blocks routing protocols like VRRP, but i have seen another article on that and that only seems to really effect the likes of VRRP if the ACL is on Ingress.

 

 

0 Kudos

Go to solution
Stefan_K_
Valued Contributor

‎02-10-2021 02:16 PM

Could you show us the ACL you created? 

0 Kudos
GTM-P2G8KFN