This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Allow DHCP and DNS through ACL for vLans
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Allow DHCP and DNS through ACL for vLans
Allow DHCP and DNS through ACL for vLans
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-03-2016 03:49 PM
I have 4 vlans:
Uplink, Mobile, Portal, NAT
The Nat is the location of my DHCP and DNS server.
I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.
Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.
Sidenote, all need to be allowed through uplink.
Thanks
Uplink, Mobile, Portal, NAT
The Nat is the location of my DHCP and DNS server.
I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.
Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.
Sidenote, all need to be allowed through uplink.
Thanks
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-04-2016 11:25 AM
Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....
create access-list denytoNat "destination-address 10.80.100.0/22" "deny"
create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"
create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"
Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress
config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress
JCSD-Mobile vLan
config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress
config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress
User-Portal vLan
config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress
config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress
Cameras vLan
config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress
config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress
create access-list denytoNat "destination-address 10.80.100.0/22" "deny"
create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"
create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
create access-list permfromdns "protocol udp; source-port 53" "permit"
create access-list permfromdhcp "protocol udp; source-port 67" "permit"
Nat vLan
config access-list add denytoMobile last vlan Nat ingress
config access-list add denytoPortal last vlan Nat ingress
config access-list add denytoCameras last vlan Nat ingress
config access-list add permfromdns first vlan Nat ingress
config access-list add permfromdhcp first vlan Nat ingress
JCSD-Mobile vLan
config access-list add denytoNat last vlan JCSD-Mobile ingress
config access-list add denytoPortal last vlan JCSD-Mobile ingress
config access-list add denytoCameras last vlan JCSD-Mobile ingress
config access-list add permtodns first vlan JCSD-Mobile ingress
config access-list add permtodhcp first vlan JCSD-Mobile ingress
User-Portal vLan
config access-list add denytoNat last vlan User-Portal ingress
config access-list add denytoMobile last vlan User-Portal ingress
config access-list add denytoCameras last vlan User-Portal ingress
config access-list add permtodns first vlan User-Portal ingress
config access-list add permtodhcp first vlan User-Portal ingress
Cameras vLan
config access-list add denytoNat last vlan Cameras ingress
config access-list add denytoMobile last vlan Cameras ingress
config access-list add denytoPortal last vlan Cameras ingress
config access-list add permtodns first vlan Cameras ingress
config access-list add permtodhcp first vlan Cameras ingress
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-04-2016 11:25 AM
You would simply create a deny line for that particular address and then apply it to the VLANs which have internet access, for example:
create access-list deny8888 "destination-address 8.8.8.8/32" "deny"
config access-list add deny8888 first vlan {VLAN} ingress
create access-list deny8888 "destination-address 8.8.8.8/32" "deny"
config access-list add deny8888 first vlan {VLAN} ingress
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-04-2016 11:25 AM
This has all worked great. I can't test the camera's as I don't have the system installed yet, but I have stored all this information. Thanks to you I now have my network segregated like it is supposed to be. I am going to throw one more at you. What if you wanted to deny traffic to and from a public ip like say google's 8.8.8.8... Im just using that as an example but what if you did?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-04-2016 11:25 AM
That was the intention. But I should have added a line allowing ARPs and Broadcasts.
create access-list pbcast "ethernet-destination-address ff:ff:ff:ff:ff:ff" "permit"
create access-list parp "ethernet-type 0x0806" "permit"
config access-list add pbcast first vlan Cameras ingress
config access-list add parp first vlan Cameras ingress
Sorry about that. Again, you want to test all of this in a lab or on a lab switch.
create access-list pbcast "ethernet-destination-address ff:ff:ff:ff:ff:ff" "permit"
create access-list parp "ethernet-type 0x0806" "permit"
config access-list add pbcast first vlan Cameras ingress
config access-list add parp first vlan Cameras ingress
Sorry about that. Again, you want to test all of this in a lab or on a lab switch.
