I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.


Userlevel 5
Try this part:

...
entry EverythingElse {
if match all {
source-address 0.0.0.0/0;
}
then {
deny ;
count Deny;
}
}

I just finished fighting a similar issue. Without specifying "source anywhere", it denies everything.

In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.

I'll start a thread on that...
Note: This topic was created from a reply on the static ACL question - block traffic vlan1 to vlan2 with exceptions topic.

3 replies

Userlevel 2
Hi Frank, I thought I would start this thread for you to see if anyone might be able to give you some advice. Have a great day!
Userlevel 6
Hello Frank

The ACLs in XOS have a implicit permit not a implicit deny so adding your final entry is needed to make sure that all traffic is dropped unless it is explicitly permitted in the other entries.

Not sure if that is answering your question so if you can provide more information we can look it over.

Thanks
P
Userlevel 5
I think I sorted it out in the thread that I started - the problem seems to be that denying via
if match all {
} then {
deny
}
truly matches everything - every protocol, every port, every address, and especially every ARP.
It also appears that it means that a "deny" rule like that also matches previously "accept"ed packets (because of the ARP test?)
Lesson learned: don't deny all like this, deny all in a more specific matter 😉

(I don't know if that was the intended behavior of "match all {}", but that's how it seems to play out.)

Jarek helped me out with that in this thread: https://community.extremenetworks.com/extreme/topics/access_list_policy_and_selective_routing_betwee...

Reply