Help with ACL to block all traffic to one VLAN except for permitted hosts

  • 0
  • 2
  • Question
  • Updated 1 year ago
  • Answered
Hello, all. Thanks for providing this great resource, I find a lot of great answers on here regularly. I'm working on a task that involves playing with ACLs, something I am mostly unfamiliar with. I am trying to accomplish what I think should be simple, but clearly isn't working as intended. Most likely I am just missing something obvious or trying to do something outside the scope of what ACLs are designed for. Please understand that I am very new to this, so if it sounds like a stupid question and I'm doing things wrong, I probably am.

Say we have three VLANs: "IT", "CONTROL", and "OFFICE". I want to restrict all traffic to VLAN CONTROL from OFFICE, but not from IT.

IT: 172.18.100.0/22
Control: 172.18.200.0/22
Office: 172.18.228.0/22

I can apply an ACL to the VLAN OFFICE on egress that restricts traffic to CONTROL and that works fine. The problem is that, in production, I actually have about 50 VLANs across all our sites and this becomes difficult to manage. Instead of having 50 ACLs I'd like to have one. So I've tried to create an ACL that blocks traffic from all VLANs but IT on ingress and applied that to VLAN CONTROL. I have been told by the GTAC that this won't work because the traffic coming into the switch isn’t coming in on the VLAN I'm trying to block traffic to. So that leaves me with putting an egress ACL in place on VLAN CONTROL that permits traffic leaving the VLAN to IT but denies it to everywhere else. All of our production hardware supports egress ACLs.

I was also told, and this may be wrong, that I need an explicit permit of traffic within the VLAN itself (which doesn't really make sense to me why I need that if the traffic is staying within the subnet), hence my first entry.

Here is what I currently have, access list CONTROLACL.pol:

entry permit_intra_vlan {
if match all {
source-address 172.18.200.0/22;
destination-address 172.18.200.0/22;
} then {
permit;
}
}

entry permit_AVCONTROL_to_IT {
if match all {
destination-address 172.18.100.0/22;
} then {
permit;
}
}

entry deny_rest {
if match all {
source-address 0.0.0.0/0;
} then {
deny ;
count Deny;
}
}

What I *think* this does is permit traffic within the VLAN, permit the VLAN to talk to hosts on the IT VLAN, and deny it to talk to anything else. I run a "check pol controlacl" it is successful. I implement it with "conf access-list controlacl VLAN control egress" yet from a test system on OFFICE I can still ping the gateway of CONTROL at 172.18.200.1.

(As an aside, I'm slightly concerned that an egress ACL would permit broadcast traffic to the VLAN from other subnets, but I'm unsure how to address that concern).

Pulling my hair out on this one! Thanks for any assistance you can provide.

FYI: Production hardware is a BD8810 core with X450-G2's on the edges. My test network I'm working against is three X440-G2's (one core and two edges).
Photo of Justin Noland

Justin Noland

  • 122 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 2
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,850 Points 10k badge 2x thumb
Hi,

As you have G2 at the edge, do you have ExtremeManagement Center? That sounds like a policy to apply to your edge, rather than playing manually and statically with ACL.