Solved

EXOS 22.7.x.x - ACL Preventing Layer 2 Communication between clients in the same subnet.

  • 10 February 2021
  • 3 replies
  • 47 views

Userlevel 1
Badge +1

Anyone else got an issue with clients communicating with each other on the same subnet if deploying an ACL Policy on egress of a VLAN.

In Cisco world a normal RFC1918 ACL Egressing the VLAN is sufficient for a guest network, clients can still communicate with each other but this can be additionally adjusted with an ACL.

 

It seems in EXOS as soon as you define an ACL it enables a type of Client Isolation and the only way around this would be to specifically allow client  to client config via an additional rule to allow egress traffic of the whole subnet.

icon

Best answer by RobertWilkinson 29 March 2021, 18:22

Turns out it works on Ingress on the VLAN, Cisco and Enterasys is the opposite way. All sorted now.

 

Still have to have an entry that has the L2 subnet as a source and destination to allow clients to reach each other but not a major issue, just not usual behavior for other vendor ACL’s.

View original

3 replies

Userlevel 5
Badge

Could you show us the ACL you created? 

Userlevel 1
Badge +1

@Stefan K. 

 

Something like this;

entry 1 {
if match all {
destination-address 10.0.0.0/8 ;
}
then {
deny ;
count deny ;
}
}
entry 2 {
if match all {
destination-address 172.16.0.0/12 ;
}
then {
deny ;
count deny ;
}
}
entry 3 {
if match all {
destination-address 192.168.0.0/16 ;
}
then {
deny ;
count deny ;
 

Applied to a VLAN on Egress, lets say VLAN100, if i have two clients configured on the same switch that is doing the L3 they cannot communicate with each other…. i’ve never had this with Cisco\HP\Dell.

 

The only way i can then get it to work is with an additional entry of;

if match all {
source-address 192.168.1.0/24 ;
destination-address 192.168.1.0/24 ;
}
then {
permit ;
}
}

 

Having the an ACL blocking access to the RFC1918 subnets also blocks routing protocols like VRRP, but i have seen another article on that and that only seems to really effect the likes of VRRP if the ACL is on Ingress.

 

 

Userlevel 1
Badge +1

Turns out it works on Ingress on the VLAN, Cisco and Enterasys is the opposite way. All sorted now.

 

Still have to have an entry that has the L2 subnet as a source and destination to allow clients to reach each other but not a major issue, just not usual behavior for other vendor ACL’s.

Reply