isolate ip network of vlan from other on same port

  • 1 December 2016
  • 26 replies
  • 571 views

Here is the scenario
we have multiple VLAN's configured as follows.

VLAN 2001 setting

create vlan "vlan2001"
configure vlan vlan2001 tag 2001
configure vlan vlan2001 add ports 21-24 tagged
configure vlan vlan2001 ipaddress 10.0.0.1 255.255.255.0
configure vlan vlan2001 dhcp-address-range 10.0.0.3 - 10.0.0.100
configure vlan vlan2001 dhcp-options default-gateway 10.0.0.1
enable ipforwarding vlan vlan2001
enable dhcp ports 21-24 vlan vlan2001

There are lots of other vlans
for example
create vlan "vlan199"
configure vlan vlan199 tag 199
configure vlan vlan199 add ports 21-24 tagged
configure vlan vlan199 ipaddress 172.16.199.1 255.255.255.0
configure vlan vlan199 dhcp-address-range 172.16.199.2 - 172.16.199.200
configure vlan vlan199 dhcp-options default-gateway 172.16.199.1
enable ipforwarding vlan vlan199
enable dhcp ports 21-24 vlan vlan199

Similiarly we have vlan 101 to 198 with ip 172.16.<101-198>.1 and dhcp range 172.16.<101-198>199.2 - 172.16.<101-198>.200
I want that 172.16.<101-199>.x should not be able to ping 10.0.0.x
How should I do that ?

Thanks.

26 replies

Take a look at some of the examples provided here:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS
i tried this

vi no_voip_access.pol

entry one {
if match all {
source-address 172.16.0.0/16 ;
destination-address 10.0.0.0/24 ;
}
then
{
redirect 172.16.0.1;
}
}

configure access-list no_voip_access.pol port 21 ingress

Got
Error: ACL policy no_voip_access.pol not found

Here i was hoping that all packets with source ip 172.16.x.x and destination ip 10.0.0.x will be sent to 172.16.0.1
Userlevel 7
i tried this

vi no_voip_access.pol

entry one {
if match all {
source-address 172.16.0.0/16 ;
destination-address 10.0.0.0/24 ;
}
then
{
redirect 172.16.0.1;
}
}

configure access-list no_voip_access.pol port 21 ingress

Got
Error: ACL policy no_voip_access.pol not found

Here i was hoping that all packets with source ip 172.16.x.x and destination ip 10.0.0.x will be sent to 172.16.0.1

configure access-list no_voip_access port 21 ingress
i tried this

vi no_voip_access.pol

entry one {
if match all {
source-address 172.16.0.0/16 ;
destination-address 10.0.0.0/24 ;
}
then
{
redirect 172.16.0.1;
}
}

configure access-list no_voip_access.pol port 21 ingress

Got
Error: ACL policy no_voip_access.pol not found

Here i was hoping that all packets with source ip 172.16.x.x and destination ip 10.0.0.x will be sent to 172.16.0.1

Now .
Atleast , access list is being used .
Seems no change in behaviour.
ping to 10.0.0.2 from pc with ip 172.16.199.2 fails when pc with ip 10.0.0.2 is disconnected from extreme switch.
One more thing - how do I remove access list ?
guess , rm no_voip_access.pol would not be proper ?
Userlevel 4
If you just want to deny "Ping" then this would do it:

entry No_Ping { if {
protocol icmp;
source-address 172.16.0.0/16;
destination-address 10.0.0.0/24;
} then {
deny;
}
}

If you want to isolate traffic not to enter different areas in the network. ACLs can get a pain in the back. Depending on the platform you have you can assign the vlans to different virtual routers.

So if you have the vlan 2001 in the user defined vr vr-v2001 (just an example for a name) and the vlan 199 in a different user defined vr e.g. vr-access then these vlan are isolated by default and you don't need any ACLs
OK

Can't find a way to disable ACL .
Userlevel 4
unconfigure access-list no_voip_access port 21
On my switch
* X460-24t.2 # unconfigure access-list no_voip_access
done!
* X460-24t.2 # unconfigure access-list no_voip_access
Execute the command
egress Acls applied to egress
ingress Acls applied to ingress
No port option .
Anyway , not a problem for me .
One more thing ,
I did
disable ipforwarding vlan vlan199

I thought , this will prevent PC device with ip 172.16.199.2 to ping any 10.0.0.x or 172.16.<101-198>.x
That did not happen.
Userlevel 1
show iproute?
* X460-24t.4 # disable ipforwarding vlan199
* X460-24t.5 # show iproute vlan199
Ori Destination Gateway Mtr Flags VLAN Duration
#d 172.16.199.0/24 172.16.199.1 1 U------um--f- vlan199 18d:21h:4m
:23s

Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP
(ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext
(e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2
(is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp
(mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2
(oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM
(r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown
(*) Preferred unicast route (@) Preferred multicast route
(#) Preferred unicast and multicast route

Flags: (B) BlackHole, (b) BFD protection requested, (c) Compressed, (D) Dynamic
(f) Provided to FIB, (G) Gateway, (H) Host Route, (L) Matching LDP LSP
(l) Calculated LDP LSP, (3) L3VPN Route, (m) Multicast, (P) LPM-routing
(p) BFD protection active, (R) Modified, (S) Static, (s) Static LSP
(T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up

MPLS Label: (S) Bottom of Label Stack
Mask distribution:
1 routes at length 24

Route Origin distribution:
1 routes from Direct

Total number of routes = 1
Total number of compressed routes = 0

* X460-24t.6 # enable ipforwarding vlan199
* X460-24t.7 # show iproute vlan199
Ori Destination Gateway Mtr Flags VLAN Duration
#d 172.16.199.0/24 172.16.199.1 1 U------um--f- vlan199 18d:21h:8m
:27s

Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP
(ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext
(e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2
(is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp
(mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2
(oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM
(r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown
(*) Preferred unicast route (@) Preferred multicast route
(#) Preferred unicast and multicast route

Flags: (B) BlackHole, (b) BFD protection requested, (c) Compressed, (D) Dynamic
(f) Provided to FIB, (G) Gateway, (H) Host Route, (L) Matching LDP LSP
(l) Calculated LDP LSP, (3) L3VPN Route, (m) Multicast, (P) LPM-routing
(p) BFD protection active, (R) Modified, (S) Static, (s) Static LSP
(T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up

MPLS Label: (S) Bottom of Label Stack
Mask distribution:
1 routes at length 24

Route Origin distribution:
1 routes from Direct

Total number of routes = 1
Total number of compressed routes = 0

One thing I noticed that on disabling ipforwarding .
ping to DNS server (which is outside the switch) stops and works on enabling ipforwarding .
Userlevel 1
show iproute (end) output so we can see everything.
http://pastebin.com/Y9uvLWsC

it's a 479 line file of 40kB .
Userlevel 4
I saw a lots of routes and vlans. What is the solution you plan to build ?
Userlevel 1
wow...thats alot....

can you not just disable ipforwarding on the default VR?
Finally my aim is that network of vlan 2001 (10.0.1/24) and vlan1967(172.16.92.1/24) should not be accessible to other vlans.
All other vlans may access each other's gateway.
The trunk port(21-24) will get data of all vlans.

To have less complication let's forget vlan1967.
So, If I could keep vlan 2001 network inaccessible to other vlan.
Also , can do if other vlan's do or don't ping each other's network.

This virtual router concept I couldn't grasp.

So if you have the vlan 2001 in the user defined vr vr-v2001 (just an example for a name) and the vlan 199 in a different user defined vr e.g. vr-access then these vlan are isolated by default and you don't need any ACLs



can you not just disable ipforwarding on the default VR?
Userlevel 1
"This virtual router concept I couldn't grasp."

food for thought????
Userlevel 4
EXOS always uses virtual router. as long as all vlans are within one vr they can communicate.
If you create another vr and put the vlans inside of this vr, these vlans can't communicate with the rest.
Userlevel 4
Have a look at page 677 in the Concepts Guide:

http://documentation.extremenetworks.com/exos_16.1/EXOS_User_Guide_16_1.pdf
Userlevel 1
Also the Command Reference Guide has alot on VR.

Sorry cant find the doc link.
Userlevel 6
Also the Command Reference Guide has alot on VR.

Sorry cant find the doc link.
Here you go:
http://documentation.extremenetworks.com/exos_22.1/exos_21_1/virtual_routers/virtual-routers.shtml

REF: Extreme Unified Search http://www.extremenetworks.com/search/#q=virtual%20routers&t=Documentation&sort=relevancy
ok
i will read references
then reply back .
1818 page pdf .pretty detailed.nice.
this is what I did

* X460-24t.3 # configure vlan vlan2001 delete ports all
* X460-24t.4 # delete vlan vlan2001
Previously , vlan2001 was in default virtual-router

* X460-24t.5 # virtual-router voip2001
* (vr voip2001) X460-24t.6 # create vlan "vlan2001"
* (vr voip2001) X460-24t.7 # configure vlan vlan2001 tag 2001
* (vr voip2001) X460-24t.8 # configure vlan vlan2001 add ports 21-24 tagged
Error: Port 21 belongs to virtual router VR-Default. VLAN is created on virtual-router voip2001
* X460-24t.11 # configure "VR-Default" delete ports 21-24
Error: Port 21 belongs to 426 VLAN(s). Delete the port from the VLAN(s)
* X460-24t.10 # show virtual-router "VR-Default"
Virtual Router : VR-Default Type : System
Description : Default VR
Operational State : Up
IPv4 Admin State : Enabled IPv6 Admin State : Enabled
IPv4 Route Sharing : Disabled IPv6 Route Sharing : Disabled
L3VPN SNMP Traps : Disabled
Protocols Configured :
--------------------------------------------------------------------
Protocol Process Configuration Protocol
Name Name Module Name Instances
--------------------------------------------------------------------
RIP rip rip 1
R.png r.png r.png 1
--------------------------------------------------------------------
Port List : 1-30
VLANS:
...
lots of vlans
...
Virtual Router Totals :
Total Protocols : 2 Max Protocols : 8
Total Ports : 30
Total Vlans : 428
Total IPv4 Vlans : 427 Total Ipv6 Vlans : 0
Active IPv4 Vlans : 425 Active Ipv6 Vlans : 0
Inactive IPv4 Vlans : 2 Inactive Ipv6 Vlans : 0

Will I have to run
configure vlan delete ports 21-24
for all 428 of these.
Then only I can add two virtual routers (vr-default and voip2001) to ports 21-24 ?
Userlevel 7
this is what I did

* X460-24t.3 # configure vlan vlan2001 delete ports all
* X460-24t.4 # delete vlan vlan2001
Previously , vlan2001 was in default virtual-router

* X460-24t.5 # virtual-router voip2001
* (vr voip2001) X460-24t.6 # create vlan "vlan2001"
* (vr voip2001) X460-24t.7 # configure vlan vlan2001 tag 2001
* (vr voip2001) X460-24t.8 # configure vlan vlan2001 add ports 21-24 tagged
Error: Port 21 belongs to virtual router VR-Default. VLAN is created on virtual-router voip2001
* X460-24t.11 # configure "VR-Default" delete ports 21-24
Error: Port 21 belongs to 426 VLAN(s). Delete the port from the VLAN(s)
* X460-24t.10 # show virtual-router "VR-Default"
Virtual Router : VR-Default Type : System
Description : Default VR
Operational State : Up
IPv4 Admin State : Enabled IPv6 Admin State : Enabled
IPv4 Route Sharing : Disabled IPv6 Route Sharing : Disabled
L3VPN SNMP Traps : Disabled
Protocols Configured :
--------------------------------------------------------------------
Protocol Process Configuration Protocol
Name Name Module Name Instances
--------------------------------------------------------------------
RIP rip rip 1
R.png r.png r.png 1
--------------------------------------------------------------------
Port List : 1-30
VLANS:
...
lots of vlans
...
Virtual Router Totals :
Total Protocols : 2 Max Protocols : 8
Total Ports : 30
Total Vlans : 428
Total IPv4 Vlans : 427 Total Ipv6 Vlans : 0
Active IPv4 Vlans : 425 Active Ipv6 Vlans : 0
Inactive IPv4 Vlans : 2 Inactive Ipv6 Vlans : 0

Will I have to run
configure vlan delete ports 21-24
for all 428 of these.
Then only I can add two virtual routers (vr-default and voip2001) to ports 21-24 ?
You need to delete the port from all VR's than you can add more vlans (with different VR's to the port). So yes you need to delete the port from all VLANs, than you can delete the port from VR, than you can add those VLANS again to the port. Regards Z.
did it .
I hosted two virtual routers on port 21 of my switch .
Works as desired.
thank you all .

Reply