ExtremeCloud IQ- Site Engine & Extreme Management Center

Expand all | Collapse all

ACL for applying over VLAN

  • 1.  ACL for applying over VLAN

    Posted 02-28-2018 04:00
    We have 4 VLAN over Core Switch (MLAG configured)
    VLAN 1: 10.3.1.0
    VLAN 2: 10.3.2.0
    VLAN 3: 10.3.3.0
    VLAN 4: 10.3.4.0

    we don't want VLAN-3 and VLAN-2 to communicate with VLAN-1.
    But VLAN-2 and VLAN-3 should communicate each other.
    Help to apply me what ACL should be applying?


  • 2.  RE: ACL for applying over VLAN

    Posted 02-28-2018 04:05
    The most straightforward way to do is using VRF.


  • 3.  RE: ACL for applying over VLAN

    Posted 02-28-2018 04:29
    Hi alok,

    You can deny the traffic for VLAN 1 from VLAN 2 & VLAN 3.

    entry Vlan_2 {
    if match all {
    source-address 10.3.2.0/24;
    Destination-Address 10.3.1.0/24;
    }
    then {
    count Corp_Vlan_2 ;
    deny ;
    }
    }
    entry Vlan_3 {
    if match all {
    source-address 10.3.3.0/24;
    Destination-Address 10.3.1.0/24;
    }
    then {
    count Corp_Vlan_Traffic2 ;
    deny ;
    }



  • 4.  RE: ACL for applying over VLAN

    Posted 02-28-2018 11:02
    It's not working, still pinging both VLAN


  • 5.  RE: ACL for applying over VLAN

    Posted 02-28-2018 04:29
    Thanks Aman
    this ACL is applied on ingress direction


  • 6.  RE: ACL for applying over VLAN

    Posted 02-28-2018 11:02
    did you apply on the Ingress direction?


  • 7.  RE: ACL for applying over VLAN

    Posted 02-28-2018 11:02
    ** count Corp_Vlan_3 in last statement.
    I also doing first time so it could be wrong , but it should work.


  • 8.  RE: ACL for applying over VLAN

    Posted 02-28-2018 11:02
    yes, we had applied on ingress direction but still, both VLAN can ping each other.

    Note If an ACL needs to be installed for traffic that is L3 routed, and the ingress/egress ports are on different packet-processing units or different slots, and any of the following features are enabled, we recommend that you install the policy on a per-port basis rather than applying it as a wildcard, or VLAN-based ACL. • MLAG (Multi-switch Link Aggregation Group) • PVLAN • Multiport-FDB (forwarding database)