topic Using ACL to isolate all VLAN, only certain VLAN are allow to communicate. in ExtremeSwitching (EXOS/Switch Engine) https://community.extremenetworks.com/t5/extremeswitching-exos-switch/using-acl-to-isolate-all-vlan-only-certain-vlan-are-allow-to/m-p/21998#M1728 Hi All,<BR /> <BR /> I have an situation, the requirement need us to isolate all VLAN, only allow certain VLAN communicate with each other. However, all VLAN shall able to go Internet.<BR /> <BR /> The challenge is there are OSPF in the network.<BR /> Besides, there area VRRP configured in each of the ospf area, I hope it will not affected by ACL.<BR /> <BR /> ospf area A ospf area B ospf area C<BR /> -------------------------------------------------------------<BR /> Vlan1A Vlan1B Vlan1C<BR /> Vlan2A Vlan2B Vlan2C<BR /> Vlan3A Vlan3B Vlan3C<BR /> Vlan4A Vlan4B Vlan4C<BR /> Vlan_p2p_A Vlan_p2p_B Vlan_p2p_C<BR /> Vlan_Internet<BR /> <BR /> * Different ospf area have different segment. Hence, there are 12 vlan + 1 vlan_internet<BR /> * Vlan_p2p are point-to-point type to establish ospf routing table<BR /> * All Vlan shall be isolated. However, they need communicate with Vlan_Internet inorder to go Internet<BR /> * Vlan1 are only allow to communicate with Vlan1 in other ospf area, same goes Vlan2, 3 and 4.<BR /> <BR /> My idea on how to create ACL:<BR /> * Create 3 different deny ACL (denyICMP, denyTCP, denyUDP) then apply to Vlan1, 2, 3 and 4 in all 3 area. (Lowest priority) <BR /> * Create 12 different permit ACL (permitVLAN1A, permitVLAN1B, permitVLAN1C, permitVLAN2A, permitVLAN2B .....) and apply to respective Vlan.<BR /> * Create permit ACL (Vlan_Internet) and apply to all Vlan<BR /> <BR /> I am not sure is this the way to configure ACL. It doesn't sound practical to me, in real environment there are 4 ospf area and each area have 13 Vlan. End up there will hundred of ACL rule in each switch. If I applied that much of ACL in each switch, I believe it will burden the CPU and might increase the latency.<BR /> <BR /> I know there are another method called private Vlan, but this network already deployed and is too late for us to make changes.<BR /> <BR /> Please advise is I am doing it correctly or there should be another way to do it.<BR /> <BR /> Thanks.<BR /> <BR /> Wed, 29 Oct 2014 20:33:00 GMT Edward 2014-10-29T20:33:00Z Using ACL to isolate all VLAN, only certain VLAN are allow to communicate. https://community.extremenetworks.com/t5/extremeswitching-exos-switch/using-acl-to-isolate-all-vlan-only-certain-vlan-are-allow-to/m-p/21998#M1728 Hi All,<BR /> <BR /> I have an situation, the requirement need us to isolate all VLAN, only allow certain VLAN communicate with each other. However, all VLAN shall able to go Internet.<BR /> <BR /> The challenge is there are OSPF in the network.<BR /> Besides, there area VRRP configured in each of the ospf area, I hope it will not affected by ACL.<BR /> <BR /> ospf area A ospf area B ospf area C<BR /> -------------------------------------------------------------<BR /> Vlan1A Vlan1B Vlan1C<BR /> Vlan2A Vlan2B Vlan2C<BR /> Vlan3A Vlan3B Vlan3C<BR /> Vlan4A Vlan4B Vlan4C<BR /> Vlan_p2p_A Vlan_p2p_B Vlan_p2p_C<BR /> Vlan_Internet<BR /> <BR /> * Different ospf area have different segment. Hence, there are 12 vlan + 1 vlan_internet<BR /> * Vlan_p2p are point-to-point type to establish ospf routing table<BR /> * All Vlan shall be isolated. However, they need communicate with Vlan_Internet inorder to go Internet<BR /> * Vlan1 are only allow to communicate with Vlan1 in other ospf area, same goes Vlan2, 3 and 4.<BR /> <BR /> My idea on how to create ACL:<BR /> * Create 3 different deny ACL (denyICMP, denyTCP, denyUDP) then apply to Vlan1, 2, 3 and 4 in all 3 area. (Lowest priority) <BR /> * Create 12 different permit ACL (permitVLAN1A, permitVLAN1B, permitVLAN1C, permitVLAN2A, permitVLAN2B .....) and apply to respective Vlan.<BR /> * Create permit ACL (Vlan_Internet) and apply to all Vlan<BR /> <BR /> I am not sure is this the way to configure ACL. It doesn't sound practical to me, in real environment there are 4 ospf area and each area have 13 Vlan. End up there will hundred of ACL rule in each switch. If I applied that much of ACL in each switch, I believe it will burden the CPU and might increase the latency.<BR /> <BR /> I know there are another method called private Vlan, but this network already deployed and is too late for us to make changes.<BR /> <BR /> Please advise is I am doing it correctly or there should be another way to do it.<BR /> <BR /> Thanks.<BR /> <BR /> Wed, 29 Oct 2014 20:33:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/using-acl-to-isolate-all-vlan-only-certain-vlan-are-allow-to/m-p/21998#M1728 Edward 2014-10-29T20:33:00Z RE: Using ACL to isolate all VLAN, only certain VLAN are allow to communicate. https://community.extremenetworks.com/t5/extremeswitching-exos-switch/using-acl-to-isolate-all-vlan-only-certain-vlan-are-allow-to/m-p/21999#M1729 I believe your requirement is easily achieved using stateful inspection firewalls.<BR /> But I doubt exos acl doesnt do this.<BR /> in exos If you add an acl to block on one vlan that will block traffic both ways.[its normal acl not stateful]<BR /> So thats why switches have private vlan concept.<BR /> same applies to other vendor switches as well. Fri, 31 Oct 2014 23:23:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/using-acl-to-isolate-all-vlan-only-certain-vlan-are-allow-to/m-p/21999#M1729 PARTHIBAN_CHINN 2014-10-31T23:23:00Z