how can I create a access-list on egress to allow only a few vlans inside a vman ? drop all doesnt work too

  • 0
  • 1
  • Question
  • Updated 4 months ago
  • Answered
  • (Edited)
HI,
my target is to allow only a few vlans from a vman to exit a specific port.

example port 1, 2 and 3  at untagged in vman 2000.
all traffic from 1 should be forwarded to 2 and vice versa. only vlan 100 and 102 should be forwarded to port 3..  I do not know the vlans inserted into port 1 and 2 except 100 and 102 therefore the vman untagged idea.

to start I tried a deny all rule on port 3
docu say egress rule:
denyAll.pol
entry DenyAllEgress{
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}
but after
configure access-list denyAll ports 3 egress
still all traffic is visible at port 3 and also on the next switch...

Whats the fault and whats the solution ?
Photo of Immo Wetzel

Immo Wetzel

  • 110 Points 100 badge 2x thumb

Posted 4 months ago

  • 0
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,096 Points 10k badge 2x thumb
Hi Immo,

It sounds like what you want to do is configure port 3 as a customer edge port, allowing inner tags 100 and 102 only.

For example,
configure vman <vman_name> add port 3 cep cvid 100
configure vman <vman_name> add port 3 cep cvid 102
You can see more info on this at the link below:
https://documentation.extremenetworks.com/exos_commands_22.4/EXOS_21_1/EXOS_Commands_All/r_configure...
(Edited)
Photo of Immo Wetzel

Immo Wetzel

  • 110 Points 100 badge 2x thumb
ok but how about untagged and vlan 0 traffic ?