Header Only - DO NOT REMOVE - Extreme Networks

ACL applying over VLAN


Userlevel 1
We have three VLAN's all are inter-VLAN routing.
VLAN-1= 10.3.1.0
VLAN-2= 10.3.2.0
VLAN-3= 10.3.5.0
My boss wants to VLAN-2 and 3 should not communicate with VLAN-1, so that's we implement a policy to disable traffic forwarding to VLAN-1.



After applying this policy over VLAN-1 in ingress direction, VLAN-2 and VLAN-3 is not communicating.

I want VLAN-2 and VLAN-3 Should communicate each other.

7 replies

Userlevel 5
Easier option would be to disable ip forwarding for vlan 1
Andre Brits Kannemeyer wrote:

Easier option would be to disable ip forwarding for vlan 1

usually vlans are used to separate traffic. So from pure switching point and no bad cable based vlan translations they dont see each other. May be you implemented some routing. if so follow the proposal from alok.
Userlevel 1
Andre Brits Kannemeyer wrote:

Easier option would be to disable ip forwarding for vlan 1

I don't want to disable ipforwarding of vlan-1
Andre Brits Kannemeyer wrote:

Easier option would be to disable ip forwarding for vlan 1

if vlan 1 should not communicate with vlan 2 what are you doing with ip forwarding ? switching will be done anyway or do you talk about an additional uplink ?
Userlevel 1
Andre Brits Kannemeyer wrote:

Easier option would be to disable ip forwarding for vlan 1

as VLAN-1 is used for uplink, but VLAN-2 and VLAN-3 users should communicate.
Andre Brits Kannemeyer wrote:

Easier option would be to disable ip forwarding for vlan 1

dont get you. if vlan 2 and vlan 3 should be able to use the uplink. but the uplink connected hosts should not reach vlan 2 and 3 you need a firewall. if vlan2 and vlan 3 should not reach the uplink just disable ipforwarding for vlan 1 cos there is no need for.
Userlevel 3
Hi,

you have:

- VLAN-1= 10.3.1.0/24
- VLAN-2= 10.3.2.0/24
- VLAN-3= 10.3.5.0/24

and you want to block traffic from VLAN-2 to VLAN-1
then you should apply ACL on VLAN-2 on ingress like bellow:

entry V1_block { if match all {
destination-address 10.3.1.0/24;
} then {
count traffic_to_v1;
deny;
}}

Similar example will be for VLAN-3.

--
Jarek

Reply