Using ACL to isolate all VLAN, only certain VLAN are allow to communicate.

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • (Edited)
Hi All,

I have an situation, the requirement need us to isolate all VLAN, only allow certain VLAN communicate with each other. However, all VLAN shall able to go Internet.

The challenge is there are OSPF in the network.
Besides, there area VRRP configured in each of the ospf area, I hope it will not affected by ACL.

ospf area A         ospf area B        ospf area C
  Vlan1A                Vlan1B                Vlan1C
  Vlan2A                Vlan2B                Vlan2C
  Vlan3A                Vlan3B                Vlan3C
  Vlan4A                Vlan4B                Vlan4C
  Vlan_p2p_A        Vlan_p2p_B        Vlan_p2p_C

* Different ospf area have different segment. Hence, there are 12 vlan + 1 vlan_internet
* Vlan_p2p are point-to-point type to establish ospf routing table
* All Vlan shall be isolated. However, they need communicate with Vlan_Internet inorder to go Internet
* Vlan1 are only allow to communicate with Vlan1 in other ospf area, same goes Vlan2, 3 and 4.

My idea on how to create ACL:
* Create 3 different deny ACL (denyICMP, denyTCP, denyUDP) then apply to Vlan1, 2, 3 and 4 in all 3 area. (Lowest priority)
* Create 12 different permit ACL (permitVLAN1A, permitVLAN1B, permitVLAN1C, permitVLAN2A, permitVLAN2B .....) and apply to respective Vlan.
* Create permit ACL (Vlan_Internet) and apply to all Vlan

I am not sure is this the way to configure ACL. It doesn't sound practical to me, in real environment there are 4 ospf area and each area have 13 Vlan. End up there will hundred of ACL rule in each switch. If I applied that much of ACL in each switch, I believe it will burden the CPU and might increase the latency.

I know there are another method called private Vlan, but this network already deployed and is too late for us to make changes.

Please advise is I am doing it correctly or there should be another way to do it.

Photo of Edward


  • 120 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 1


  • 4,382 Points 4k badge 2x thumb
I believe your requirement is easily achieved using stateful inspection firewalls.
But I doubt exos acl doesnt do this.
in exos If you add an acl to block on one vlan that will block traffic both ways.[its normal acl not stateful]
So thats why switches have private vlan concept.
same applies to other vendor switches as well.