Header Only - DO NOT REMOVE - Extreme Networks

Simple question about ACLs


Userlevel 4
Hello, everybody!

I have VLAN x and 192.168.1.0/24 network inside it. Bootprelay configured for the VLAN and clients get IPs. Everything works well.

I have the ACL, applied to the VLAN x as ingress:

entry VLAN-x {
if {
destination-address 192.168.1.0/24 ;
} then {
permit ;
}
}

entry Denyall {
if {
source-address 0.0.0.0/0 ;
} then {
deny ;
}
}

Am I understand right the following:

1) All L2 traffic is permitted
2) DHCP is permitted

Many thanks in advance,

Ilya

2 replies

Userlevel 6
Hi Ilya,

The first rule would be allowing all the traffic destined to the IP subnet 192.168.1.0/24. So, IP traffic between the IP hosts within the VLAN would be allowed. (Layer 2)
Since we are blocking the rest of the traffic, I believe even ARP traffic would be blocked. Hence the hosts connectivity would be affected.
So, I recommend adding another rule as below before the deny rule.

entry VLAN-x-1 {
if {
ethernet-type 0x0806 ;
} then {
permit ;
}
}

Also, the DHCP traffic would also be blocked as per my understanding. So, it would be good to allow the broadcast traffic with the following rule.

entry VLAN-x-2 {
if {
ethernet-destination-address ff:ff:ff:ff:ff:ff:ff;
} then {
permit ;
}
}
or have a separate rule for DHCP destination-ports 67 and 68.

Hope this helps!
Userlevel 6
With those rules you should be ok with L2 protocols such as LACP, EDP, STP, etc.

However, as already said by Prashanth, the 2nd rule will also block ARP and DHCP packets.

Reply