Question

EXOS ACL for block inter VLAN traffic

  • 14 September 2020
  • 2 replies
  • 56 views

Hi all,

I need a advice from you regarding the acl configuration.

Scenario;

There are five VLANs names “Manage, VLAN1, VLAN2, VLAN3, VLAN4” All VLANs dhcp pools configured in core switch. Core is X460-24p stack.

My points are:

1). All traffic from VLAN 1-4 to Manage VLAN should be block.

2). Manage VLAN can be access other VLANs 

3). VLAN3 and VLAN4 can not communicate each other and also can not access VLAN 1 and VLAN          2.

4). VLAN 1 and VLAN 2 can communicate each other.

 

I created 5 different static ACLs as follow and apply each vlan as ingress. But those are not working and even there is no count.

entry denyUPC{
        if match all{
                source-address 10.10.10.254/24;
                destination-address 192.168.20.254/24;
        }
        then{
                count denyUPC;
                deny;
        }
}

entry denyUPC1{
        if match all{
                source-address 172.16.100.254/24;
                destination-address 192.168.20.254/24;
        }
        then{
                count denyUPC;
                deny;
        }
}

 

Please help to solve this.

Thanks.

Gihan


2 replies

Userlevel 3

Hi,

EXOS ACLs are evaluated in order and have an implicit permit at the end. So, two entries will be necessary--one to deny traffic from each source subnet to each destination subnet. All other traffic (i.e. internet traffic) will be permitted:

 

Below is an article that describes it in more detail:

How to use an ACL to prevent inter-VLAN traffic for internal subnets but allow internet traffic

 

Thanks,

Chris Thompson

Userlevel 3
Badge

as far as I remember EXOS ACLs are working at the port as well as you apply it on a vlan. This means, you need to permit traffic inside of each vlan too, if you have an explicit “deny any” at the end.

Also ACLs are not statefull. So in Case of 2. - You can’t permit Manage to access VLAN 1-4 if other direction is denied (1.).

You should have a look to “private vlan” function. - I think this should have more sense for you. 

Reply