topic ACL for applying over VLAN in ExtremeCloud IQ- Site Engine Management Center

ACL for applying over VLAN

Alok_Shukla — Wed, 28 Feb 2018 12:00:00 GMT

We have 4 VLAN over Core Switch (MLAG configured)
VLAN 1: 10.3.1.0
VLAN 2: 10.3.2.0
VLAN 3: 10.3.3.0
VLAN 4: 10.3.4.0

we don't want VLAN-3 and VLAN-2 to communicate with VLAN-1.
But VLAN-2 and VLAN-3 should communicate each other.
Help to apply me what ACL should be applying?

RE: ACL for applying over VLAN

Mel78__CISSP__E — Wed, 28 Feb 2018 12:05:00 GMT

The most straightforward way to do is using VRF.

RE: ACL for applying over VLAN

Aman — Wed, 28 Feb 2018 12:29:00 GMT

Hi alok,

You can deny the traffic for VLAN 1 from VLAN 2 & VLAN 3.

entry Vlan_2 {
if match all {
source-address 10.3.2.0/24;
Destination-Address 10.3.1.0/24;
}
then {
count Corp_Vlan_2 ;
deny ;
}
}
entry Vlan_3 {
if match all {
source-address 10.3.3.0/24;
Destination-Address 10.3.1.0/24;
}
then {
count Corp_Vlan_Traffic2 ;
deny ;
}

RE: ACL for applying over VLAN

Alok_Shukla — Wed, 28 Feb 2018 12:29:00 GMT

Thanks Aman
this ACL is applied on ingress direction

RE: ACL for applying over VLAN

Alok_Shukla — Wed, 28 Feb 2018 19:02:00 GMT

It's not working, still pinging both VLAN

RE: ACL for applying over VLAN

Aman — Wed, 28 Feb 2018 19:02:00 GMT

did you apply on the Ingress direction?

RE: ACL for applying over VLAN

Aman — Wed, 28 Feb 2018 19:02:00 GMT

** count Corp_Vlan_3 in last statement.
I also doing first time so it could be wrong , but it should work.

RE: ACL for applying over VLAN

Alok_Shukla — Wed, 28 Feb 2018 19:02:00 GMT

yes, we had applied on ingress direction but still, both VLAN can ping each other.

Note If an ACL needs to be installed for traffic that is L3 routed, and the ingress/egress ports are on different packet-processing units or different slots, and any of the following features are enabled, we recommend that you install the policy on a per-port basis rather than applying it as a wildcard, or VLAN-based ACL. • MLAG (Multi-switch Link Aggregation Group) • PVLAN • Multiport-FDB (forwarding database)