Simple question about ACLs

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello, everybody!


I have VLAN x and 192.168.1.0/24 network inside it. Bootprelay configured for the VLAN and clients get IPs. Everything works well.

I have the ACL, applied to the VLAN x as ingress:


entry VLAN-x {   
if {
      destination-address 192.168.1.0/24 ;
   } then {
      permit ;
   }
}

entry Denyall {   
if {
      source-address 0.0.0.0/0 ;
   } then {
     deny  ;
   }
}


Am I understand right the following:

1) All L2 traffic is permitted
2) DHCP is permitted

Many thanks in advance,

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Ilya,

The first rule would be allowing all the traffic destined to the IP subnet 192.168.1.0/24. So, IP traffic between the IP hosts within the VLAN would be allowed. (Layer 2)
Since we are blocking the rest of the traffic, I believe even ARP traffic would be blocked. Hence the hosts connectivity would be affected.
So, I recommend adding another rule as below before the deny rule.

entry VLAN-x-1 {   
if {
      ethernet-type 0x0806 ;
   } then {
      permit ;
   }
}

Also, the DHCP traffic would also be blocked as per my understanding. So, it would be good to allow the broadcast traffic with the following rule.

entry VLAN-x-2 {   
if {
      ethernet-destination-address ff:ff:ff:ff:ff:ff:ff;
   } then {
      permit ;
   }
}
 or have a separate rule for DHCP destination-ports 67 and 68.

Hope this helps!
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
With those rules you should be ok with L2 protocols such as LACP, EDP, STP, etc.

However, as already said by Prashanth, the 2nd rule will also block ARP and DHCP packets.