ExtremeSwitching (Other)

Expand all | Collapse all

ACL applying over VLAN

  • 1.  ACL applying over VLAN

    Posted 03-13-2018 05:26
    We have three VLAN's all are inter-VLAN routing.
    VLAN-1= 10.3.1.0
    VLAN-2= 10.3.2.0
    VLAN-3= 10.3.5.0
    My boss wants to VLAN-2 and 3 should not communicate with VLAN-1, so that's we implement a policy to disable traffic forwarding to VLAN-1.



    After applying this policy over VLAN-1 in ingress direction, VLAN-2 and VLAN-3 is not communicating.

    I want VLAN-2 and VLAN-3 Should communicate each other.



  • 2.  RE: ACL applying over VLAN

    Posted 03-13-2018 05:52
    Easier option would be to disable ip forwarding for vlan 1


  • 3.  RE: ACL applying over VLAN

    Posted 03-13-2018 10:41
    Hi,

    you have:

    - VLAN-1= 10.3.1.0/24
    - VLAN-2= 10.3.2.0/24
    - VLAN-3= 10.3.5.0/24

    and you want to block traffic from VLAN-2 to VLAN-1
    then you should apply ACL on VLAN-2 on ingress like bellow:

    entry V1_block { if match all {
    destination-address 10.3.1.0/24;
    } then {
    count traffic_to_v1;
    deny;
    }}

    Similar example will be for VLAN-3.

    --
    Jarek


  • 4.  RE: ACL applying over VLAN

    Posted 03-13-2018 05:52
    usually vlans are used to separate traffic. So from pure switching point and no bad cable based vlan translations they dont see each other. May be you implemented some routing. if so follow the proposal from alok.


  • 5.  RE: ACL applying over VLAN

    Posted 03-13-2018 05:52
    I don't want to disable ipforwarding of vlan-1



  • 6.  RE: ACL applying over VLAN

    Posted 03-13-2018 05:52
    if vlan 1 should not communicate with vlan 2 what are you doing with ip forwarding ? switching will be done anyway or do you talk about an additional uplink ?


  • 7.  RE: ACL applying over VLAN

    Posted 03-13-2018 05:52
    as VLAN-1 is used for uplink, but VLAN-2 and VLAN-3 users should communicate.


  • 8.  RE: ACL applying over VLAN

    Posted 03-13-2018 05:52
    dont get you. if vlan 2 and vlan 3 should be able to use the uplink. but the uplink connected hosts should not reach vlan 2 and 3 you need a firewall. if vlan2 and vlan 3 should not reach the uplink just disable ipforwarding for vlan 1 cos there is no need for.