Header Only - DO NOT REMOVE - Extreme Networks

Extreme Switch ACL


Hi Support,

I would like to ask about ACL configuration.

Assuming I have 3 Vlan created.
Vlan 10 , HR , 192.168.10.1/24
Vlan 20 , IT, 192.168.20.1/24
Vlan 30, GM, 192.168.30.1/24

I would like all 3 Vlan to be isolated from each other; not able to ping/communicate to each other.
This is the command i have created but not sure if it works anot.
below is the example of blocking HR to IT & GM.

vi HR.pol
press"i" to insert
entry IT{
if match all {
destination-address 192.168.20.1/255.255.255.0
destination-address 192.168.30.1/255.255.255.0
} then {
deny;
}
}

Please advise if this is the right way to configure.

Thanks
Regards
Jawn

7 replies

Userlevel 7
Hi Jawn,
I edited this post so that it was public, and not private. This way, other community members can respond to you.
Drew C. wrote:

Hi Jawn,
I edited this post so that it was public, and not private. This way, other community members can respond to you.

Thank Drew !
Appreciated much.
Userlevel 7
Hi Jawn,

if you use match-all, all the conditions given must match. But the destination IP address is never in both IP ranges you have specified, thus this ACL entry never matches.

You can change the match-all to match-any. This way if any one of the given conditions matches, e.g. the IP address falls into the first IP range, the entry will match and the then part executed (the packet denied in your example).

Thanks,
Erik
Erik Auerswald wrote:

Hi Jawn,

if you use match-all, all the conditions given must match. But the destination IP address is never in both IP ranges you have specified, thus this ACL entry never matches.

You can change the match-all to match-any. This way if any one of the given conditions matches, e.g. the IP address falls into the first IP range, the entry will match and the then part executed (the packet denied in your example).

Thanks,
Erik

Hi Erik,

Thanks for the advise.
If I want to block HR (.10) to IT & GM.

Does the below command work?

entry block_IT_and_GM {
if match any{
source-address 192.168.10.1/24; #this is HR
destination-address 192.168.20.1/24; # this is IT
destination-address 192.168.30.1/24; # this is GM
} then {
deny;
}
}
Userlevel 7
Hi,

just wanted to state the obvious, in case of. If ipforwarding is not enabled, these 3 VLANs will not communicate to each other.

Now, assuming ipforwarding is enabled, ACLs will have to be written clearly for every flows. ACL only have a "match all" match condition, so you'll have to write various rules, each with a specific src/dest pair, and deny/permit accordingly. As always, you'll have to figure out if in your case it's easier to deny all, then permit some, or the opposite.

Regarding match condition, the "match any" is available only for routing policies, not ACL. But as this is the same preprocessor, it doesn't tell you that you are making a mistake trying to use it.

Hope it helps.
Grosjean, Stephane wrote:

Hi,

just wanted to state the obvious, in case of. If ipforwarding is not enabled, these 3 VLANs will not communicate to each other.

Now, assuming ipforwarding is enabled, ACLs will have to be written clearly for every flows. ACL only have a "match all" match condition, so you'll have to write various rules, each with a specific src/dest pair, and deny/permit accordingly. As always, you'll have to figure out if in your case it's easier to deny all, then permit some, or the opposite.

Regarding match condition, the "match any" is available only for routing policies, not ACL. But as this is the same preprocessor, it doesn't tell you that you are making a mistake trying to use it.

Hope it helps.

Hi Stephane,

The ipforwarding is already enabled on all the 3 VLANS.

For now I only managed to block HR to IT by using this command.
-----------------------------------------------------------------------------
vi blockIT.pol
entry HR{
if match all
destination-address 192.168.20.1/24; # this is IT
} then {
deny;
}
}
configure access-list blockIT vlan "HR" ingress
-----------------------------------------------------------------------------
However, I have no idea how to combine all the destination-address that I would like to block in a specific policy. Reason being, if I were to continue to create another policy) shown below). The result came out that Error: ACL is already configured on vlan HR !

-----------------------------------------------------------------------------
vi blockGM.pol
entry HR{
if match all
destination-address 192.168.30.1/24; # this is IT
} then {
deny;
}
}
configure access-list blockGM vlan "HR" ingress
----------------------------------------------------------------------------
Is there any way to fix this?
Userlevel 7
Grosjean, Stephane wrote:

Hi,

just wanted to state the obvious, in case of. If ipforwarding is not enabled, these 3 VLANs will not communicate to each other.

Now, assuming ipforwarding is enabled, ACLs will have to be written clearly for every flows. ACL only have a "match all" match condition, so you'll have to write various rules, each with a specific src/dest pair, and deny/permit accordingly. As always, you'll have to figure out if in your case it's easier to deny all, then permit some, or the opposite.

Regarding match condition, the "match any" is available only for routing policies, not ACL. But as this is the same preprocessor, it doesn't tell you that you are making a mistake trying to use it.

Hope it helps.

Hi,

you could apply an ACL to ports, rather than VLAN, and have several rules in that ACL. Something like that:

myACL.pol
entry HR-IT {
if match all {
source-address 192.168.10.0/24;
destination-address 192.168.20.0/24;
} then {
deny;
}
}

entry HR-GM {
if match all {
source-address 192.168.10.0/24;
destination-address 192.168.30.0/24;
} then {
deny;
}
}

etc.

or follow the same logic as you, per VLAN, but with several entries in each ACL.

Reply