topic Re: VDX 6740 - How to control L3 traffic flow between vlans - with ACLs? in Data Center (VDX)

VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Pawel_Eljasz — Wed, 20 Feb 2019 01:17:41 GMT

hi guys

if I need to allow only certain nodes to access vlans behind VE iface do I do it with ACLs?

I think of that VE on VlanZ as a gateway to those nodes, through which the nodes would get to other Vlans.

Would I need to construct ACLs with all the subnets & hosts or there is another, simpler way?

And if yes, them I'm trying but... I fail. How would such a rule look like?
I'm trying something obvious:

deny ip any 10.5.8.0 255.255.255.0

then apply it to the VE iface as ingress, but... nodes which have VE's IP as the gateway to 10.5.8.0/24 still get there.

many thanks.

Re: VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Pawel_Eljasz — Wed, 20 Feb 2019 22:29:41 GMT

Or for such purposes ACL is not enough and Policy-Based Routing is necessary?

Re: VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Truyen_Phan — Thu, 21 Feb 2019 07:01:06 GMT

Can you try using hard-drop instead?

code:

device(config)# ip access-list extended ipv4-acl-example
device(conf-ipacl-ext)# hard-drop ip any 10.5.8.0 255.255.255.0

It's not clear on how you want to block the traffic. You want to apply the ACL at the VE to block hosts which are using that VE as their gateway from talking to other hosts on the same subnet?

Also, please provide a bit more details ( hosts source and destination IP and topology).

Re: VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Pawel_Eljasz — Thu, 21 Feb 2019 19:53:19 GMT

Tried hard-drop, did not work neither.

Again: "I think of that VE on VlanZ as a gateway to those nodes, through which the nodes would get to other Vlans."

Anything that travels to & through VE(which nodes would claim as the gateway). Ex.:

code:

ip access-list extended protect-VLANs
seq 10 permit ip host 192.168.2.144 any
seq 50 deny ip any 10.5.8.0 255.255.255.0
seq 51 deny ip any 10.5.7.0 255.255.255.0
seq 90 permit ip any any

Replace deny with hard-drop, apply this ACL to VE and still nodes from 192.168.2.0/24 gets to nodes in/from vlan subnet 10.5.8.0.
That VE in physical layer is a port group(two phys ports) which link to the "rest" of the world.

Either it's some bug or ACLs cannot do that on their own, by design, and something else must along with ACLs must be fixed. Maybe PBR...

I also thought that ACLs would just work. I come from, still use, Dell and there (slightly older PC62xx) it's only ACLs you need to do the trick.

Re: VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Truyen_Phan — Fri, 22 Feb 2019 17:54:07 GMT

I just realized that your wild card mask has the wrong syntax.

Please try this ACL to block subnet 10.5.8.0 /24 and 10.5.7.0/24

code:

ip access-list extended protect-VLANs
seq 10 permit ip host 192.168.2.144 any
seq 50 deny ip any 10.5.8.0 0.0.0.255
seq 51 deny ip any 10.5.7.0 0.0.0.255
seq 90 permit ip any any

Re: VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Pawel_Eljasz — Sat, 23 Feb 2019 21:19:05 GMT

What monstrosity is that?
How to read this notation?

Re: VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Truyen_Phan — Mon, 25 Feb 2019 03:45:10 GMT

When configuring ACLs on the VDX, the wildcard mask is inverted from the subnet mask.

https://en.wikipedia.org/wiki/Wildcard_mask