Access list deny VLANs communications

  • 0
  • 1
  • Question
  • Updated 4 years ago
Hi Guys,


I've never applied and access list on Extreme Networks switches. I need to know how to apply a upload a ACL to a Black Daimond. I have about 10 VLANs

I Need need:

1.- Permit all access on the same VLAN
2.- Permit all access to some servers
3.- Deny communications between VLANs

I have read the concept guide some things however I need to make sure because we are going to apply this ACL on production time.
Photo of Jorge

Jorge

  • 70 Points

Posted 4 years ago

  • 0
  • 1
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello Jorge

There are two ways to do this you can either keep the explicit permit that is the default of the ACLs and just put a deny for each VLAN to VLAN or reverse it.

For example if you have 3 VLANs VL1, VL2 VL3 and they are in subnets 192.168.1.x, 2.x and 3.x respective then you can just have the deny statements like

entry Vlan_traffic1 {
if match all {
    source-address 192.168.1.0/24;
    Destination-Address 192.168.2.0/24;
}
then {
    count Corp_Vlan_Traffic1 ;
    deny  ;
}
}
entry Vlan_traffic2 {
if match all {
    source-address 192.168.2.0/24;
    Destination-Address 192.168.1.0/24;
}
then {
    count Corp_Vlan_Traffic2 ;
    deny  ;
}
}

entry Vlan_traffic3 {
if match all {
    source-address 192.168.2.0/24;
    Destination-Address 192.168.3.0/24;
}
then {
    count Corp_Vlan_Traffic3 ;
    deny  ;
}
}
entry Vlan_traffic4 {
if match all {
    source-address 192.168.3.0/24;
    Destination-Address 192.168.2.0/24;
}
then {
    count Corp_Vlan_Traffic4 ;
    deny  ;
}
}
entry Vlan_traffic5 {
if match all {
    source-address 192.168.1.0/24;
    Destination-Address 192.168.3.0/24;
}
then {
    count Corp_Vlan_Traffic5 ;
    deny  ;
}
}

entry Vlan_traffic6 {
if match all {
    source-address 192.168.3.0/24;
    Destination-Address 192.168.1.0/24;
}
then {
    count Corp_Vlan_Traffic6;
    deny  ;
}
}

Everything else that is not a hit on these statements will go through.  If you then need them to be permitted to specific Servers then do the same thing but put the host address of the server /32


I hope that helps.

P
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Jorge

One more thing you can copy and paste these into a txt document with the .pol extension then tftp that file to the switch.  From there you use the command create access-list command.

You can test this using the XOS VM before you apply it to the production network.


P