ExtremeSwitching (EXOS)

  • 1.  static ACL question - block traffic vlan1 to vlan2 with exceptions

    Posted 01-07-2014 22:51
    Create Date: Jul 24 2013 3:10PM

    I have 2 vlans with both VRRP enabled and share the default gateway (firewall).

    VLAN1 - not allowed to access VLAN2 (with exception DNS server and default GW)
    VLAN2 - no restrictions to VLAN1

    policy:

    entry VLAN1-to-VLAN2-GW {
    if {
    source-address 10.99.35.0/24 ;
    destination-address 10.99.36.254/24 ;
    } then {
    permit ;
    }
    }

    entry VLAN1-to-VLAN2-DNS {
    if {
    source-address 10.99.35.0/24 ;
    destination-address 10.99.36.101/24 ;
    protocol tcp ;
    source-port 53;
    protocol udp ;
    source-port 53;

    } then {
    permit ;
    }
    }

    entry VLAN1-to-VLAN2-OTHER {
    if {
    source-address 10.99.35.0/24 ;
    destination-address 10.99.36.0/24 ;
    } then {
    deny ;
    }
    }

    Policy check was successfull.
    I add this ACL/policy to a port/egress with laptop connected to that port (VLAN1 - 10.99.35.105) . But I can still access all servers in VLAN2.

    Can you please check if I oversee something? XOS ACL are pretty new for me.
    (from LNU)


  • 2.  RE: static ACL question - block traffic vlan1 to vlan2 with exceptions

    Posted 01-07-2014 22:51
    Create Date: Jul 25 2013 12:05PM

    You could try something like this:

    entry VLAN1-to-VLAN2-GW {
    if match all {
    source-address 10.99.35.0/24 ;
    destination-address 10.99.36.254/32 ;
    }
    then {
    permit ;
    count VL1-VL2-GW
    }
    }
    entry VLAN1-to-VLAN2-DNS {
    if match all {
    source-address 10.99.35.0/24 ;
    destination-address 10.99.36.101/32 ;
    source-port 53;
    }
    then {
    permit ;
    count VL1-VL2-DNS
    }
    }
    entry VLAN2 {
    if match all {
    source-address 10.99.36.0/24 ;
    }
    then {
    permit ;
    count VL2
    }
    }
    entry EverythingElse {
    if match all {
    }
    then {
    deny ;
    count Deny;
    }
    }

    With "show access-list counter" you can see packets hitting specific rule.
    Configure acl on ingress port (where your laptop is connected).
    (from Marjan_Rancic)


  • 3.  RE: static ACL question - block traffic vlan1 to vlan2 with exceptions

    Posted 01-07-2014 22:51
    Create Date: Jul 26 2013 11:14AM

    thanks, but its not working.

    If permitting matches, everything is permitted.
    If deny all other and permitting matches, everything is denied.
    (from LNU)


  • 4.  RE: static ACL question - block traffic vlan1 to vlan2 with exceptions

    Posted 04-04-2014 13:47
    Try this part:

    ...
    entry EverythingElse {
    if match all {
    source-address 0.0.0.0/0;
    }
    then {
    deny ;
    count Deny;
    }
    }

    I just finished fighting a similar issue. Without specifying "source anywhere", it denies everything.

    In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.

    I'll start a thread on that...


  • 5.  RE: static ACL question - block traffic vlan1 to vlan2 with exceptions

    Posted 04-04-2014 13:47
    User had an additional question. Please reference the new topic here: I have multiple VLANs where I want to allow routing all VLANs to/from one particu...