Header Only - DO NOT REMOVE - Extreme Networks

Help with intervlan routing ACL


Greetings! This is my first post here. My name is John and I'm trying to configure a scalable solution for our monitoring system to keep track of individual circuit health.

I've configured one Extreme Networks X440-48t switch stack as a router connecting to switches at different buildings over metro ethernet circuits.

Each building switch can see the routing switch on a /30 like so:

Routing Switch Stack X440-48t: Building Switches X440-8p's:
VLAN 311: 192.168.252.1/30 -> 192.168.252.2
VLAN 512: 192.168.252.5/30 -> 192.168.252.6
VLAN 242: 192.168.252.9/30 -> 192.168.252.10
Default VLAN: 192.168.2.236/24
|
Core switching stack
|
Internal Core Router
|
192.168.2.254

I want IP traffic coming from 192.168.2.0 network to have access to all VLAN's with those /30 addresses but I do not want each of the switches to be able to communicate with each other.

For example:

192.168.252.2/30 should not be able to communicate with 192.168.252.6/30 or 192.168.252.10/30.

What would be the most efficient and manageable way to do achieve this goal using EXOS ACL's while also planning for the fact that there could be endless VLAN interfaces configured this way in the future?

Thanks in advance for any assistance.

John

10 replies

Userlevel 6
Hey John

I am assuming you want the switches with the /30 to send route updates correct?

The ACLs in the 440 work from top to bottom so you would need to permit the traffic between the /30s first then deny source 192.168.252.0/24 destined to 192.168.252.0/24 You will need another ACL to deny ICMP for those subnets as well.

after the deny any other traffic should flow as normal.

Does that make sense? do you need the actual layout of the ACL or did you get that from the concepts guide.

If I am misunderstanding please let me know

P
The way its configured there is one 24 port switch at one location, connected to multiple 8 port switches at different locations. This 24 port switch is acting as the gateway for VPN clients to the smaller switches using /30 point to point connections.. a rudimentary illustration: VPN | router | summit stack | independent summit 24 port aggregator 24p1->/30-> 8p location 1 24p2->/30-> 8p location 2 24p3->/30-> 8p location 3 As you can see I want traffic going into the 24 port to have access to the 24 port and all of the 8 port switches at different locations with the 24 port acting as the default gw to the 8s. What I dont want is for the 8 ports to be able to get to each other through the 24. The 24 is acting as a forwarding gateway. Im just looking for the easiest way to do this as a policy because I dont want to update the ACL evertime we add a new location. Is this possible? If so could you point me in the right direction and maybe throw an example in? Im not announcing routes in this scenario.
Userlevel 6
Hi John,

I was thinking the solution to this would be as simple as configuring the ports on 24p switch connecting to every 8p switch as isolation ports.

Following is an explanation about this feature:
The Port Isolation feature blocks accidental and intentional inter-communication between different customers residing on different physical ports. This feature provides a much simpler blocking mechanism without the use of ACL hardware. The fundamental requirements are as follows:

    Blocking Rules: All traffic types received on a isolation port is blocked from being forwarded through other ‘isolation’ ports. All traffic types received on an isolation port can be forwarded to any other port. All traffic types received on non-isolation ports are permitted to be forwarded to isolation ports. There is no access-list hardware use. The blocking mechanism is a set of one or two table memories. These resources are not shared with other features, nor do they have any scaling limits that can be reached by configuring this feature. Port isolation can be configured in conjunction with other features, including VPLS, IDM, and XNV. However, you cannot configure a mirror-to port to be an isolated port.
command:

configure port isolation on.

Let me know your thoughts.

if the ports of 24p connecting to 8p will have only the /30 VLAN, this should meet your requirement.
This is EXACTLY what I'm looking for. I looked at port isolation, I thought thats what it did, but the documentation was (IMO) was not clear enough about the expected behavior. Thank you very much for the clarification. I'll implement this and let you know my results.
Does port isolation work on ports with tagged VLANs? Or only untagged?

Also what version of EXOS does this feature come in on? I've got
15.2.3.2 v1523b2-patch1-12 but it does not pop up as an option.
Userlevel 6
Hi John,

This command is available only from 15.3. 😞
And this is a port specific configuration and hence should not be dependent on whether the VLAN is tagged or untagged.
Thats what I would have thought too. However, I have an 8p running 15.3x at a building and to test, I enabled port isolation on all but the uplink port (12). configure ports 1-11 isolation on

Based off of the description in the docs only *isolated* ports should not be able to forward to each other. port 12 is not isolated it is the trunk uplink back to the colo.

Port 11 has 3 tagged VLAN's none untagged, and port 12 has 1 untagged VLAN and 3 tagged VLAN's.

When I enabled port isolation packet forwarding stopped between 11 & 12.

Am I missing a step in the configuration?
Userlevel 6
If I get this right, after enabling the port isolation on ports 1-11, it stopped communicating with the port 12 as well. Is that correct?
How about between the ports 1 to 11, are they working as expected?

It would be good to explain the exact traffic that you have tested between the ports 11 and 12. In which VLAN did the traffic flow?
Does the show fdb output display the source and destination mac-address?

Please share these outputs as well.

1. show port 11-12 information detail
2. show fdb port 11-12

I will also test this in parallel and let you know.
Userlevel 6
Hi John,

I tested multiple scenarios with port isolation.


It really does not matter if the port is tagged or untagged. If I make the ports of the core switches connecting to access switches as isolated ports, the access switches do not communicate with each other. But they are able to reach the gateway.

In your network too, it would be ideal to only configure the port isolation in the 24p switch which will do the ipforwarding. Hope this helps!

Please share more details about the issue that you are facing as requested above.
Thank you for the update. I'll need to test this on my end.

The 24t needs its firmware updated so I'll have to schedule an outage

The switch that I ran the initial test on does not have ipforwarding enabled and that could explain why it didn't work.

I'll update the firmware this week and confirm.

Reply