Header Only - DO NOT REMOVE - Extreme Networks

ACL one way


Hello,
I need to create an access list based on subnet IP source and destination and applied in a VLAN interface, the ACL work fine when we need to block all traffic, but when we try to block the traffic in one way like reflexive ACL in Cisco it doesn't work, here is my ACL:
entry DenyInterVlanRouting {
if match all {
source-address 10.10.1.110/32;
destination-address 10.10.128.245/32;
}
then {
deny ;
}
}
I want to block only from 10.10.1.110 to 10.10.128.245 and allow in the return path.

9 replies

Userlevel 3
Hi,

If you want to allow the return traffic, then, you need to have another rule like below on the same policy file:

entry Permit_return{
if match all {
source-address 10.10.128.245/32 ;
destination-address 10.10.1.110/32;
}
then {
permit;
}
}
Hi Senguttuvan,
Thank's for the replay,
I tried this one, but the traffic still dropped in both way, here is my new ACL:

entry DenyVlanDefault {
if match all {
source-address 10.10.10.58/32;
destination-address 10.10.128.20/32;
}then{
deny;
}
}
entry permit {
if match all {
source-address 10.10.128.20/32;
destination-address 10.10.10.58/32;
}
then{
permit;
}
}

I apply it in Default vlan interface ingress
Note: I changed IP address for test
Userlevel 3
Hi Kamal,

I am sorry, I missed the part that you are applying this policy on a VLAN and in ingress direction.

I would like to know following information:

1. On which VLAN this IP resides 10.10.128.20/32;? I believe the IP 10.10.10.58 is on VLAN Default right?
2. How are you validating that the traffic with source 10.10.128.20 and destination 10.10.10.58 are getting forwarded to the device properly when the return traffic is blocked.
3. What are the ports these devices are connected to on the switch?

Regards,
Arun
Hi,
I have a summit L3 as core switch with multiple Vlan, the vlan interface 128 have IP 10.10.128.1/24 and is the gateway for 10.10.128.20 and the 10.10.10.58 is in the default vlan
Userlevel 3
How are you validating that the traffic with source 10.10.128.20 and destination 10.10.10.58 are getting forwarded to the device properly when the return traffic is blocked.

Do you have any other rule in the policy apart from the deny rule?

Could you create a new policy with following rule:

entry permit {
if match all {
source-address 10.10.128.20/32;
destination-address 10.10.10.58/32;
}
then{
permit;
}
}

and apply as ingress on VLAN 128 and verify if it works.
for your question, my goal is to block traffic from 10.10.10.58 to 10.10.128.20 and allow 10.10.128.20 to 10.10.10.58. i can ping between theme when there is no ACL, this is how i validate that traffic is forwarded in the Switch,
I tried to make a second ACL to permit ingress traffic in 128 vlan interface but it still blocked
Userlevel 3
Ping might not work because you are blocking the return traffic.

I prefer you open a case with TAC.
Can i make inter vlan isolation, i mean block communication using vlan id with some exception ?

Reply