topic Re: Access Control List Inbound vs Outbound in ExtremeSwitching (EXOS/Switch Engine)

Access Control List Inbound vs Outbound

wmtanderson — Tue, 08 Oct 2019 01:55:39 GMT

I'm new to Network Administration but I'm working on configuring ACL's to allow two subnets to communicate with each other across two sites. Isolation needs to exist so hosts within the subnets can only communicate to each other and the internet.

As an example:

10.10.10.0/21 - Remote Subnet
10.10.5.0/21 - Local Subnet
Both should have internet access and be able to communicate to each other only .

I'm hoping to find some documentation on the differences processing packets between inbound and outbound ACL's. We're currently using EOS on two S Series switches and the ACL's we have configured are not functioning but rather than delete the ACL's I'd like to use this as an opportunity to troubleshoot the ACL's.

Re: Access Control List Inbound vs Outbound

Joshua_Puusep — Thu, 10 Oct 2019 22:02:48 GMT

FYI, Those subnets are private, i.e. you cannot typically route them over the internet without tunneling.
https://en.wikipedia.org/wiki/Private_network

Chapter 54 in the S-series configuration guide explains the use of ACL's:
https://documentation.extremenetworks.com/eos_config/downloads/S_K_7100_Configuration_Guide.pdf

Re: Access Control List Inbound vs Outbound

wmtanderson — Thu, 10 Oct 2019 22:08:34 GMT

Hi @Joshua Puusep ,

You're correct we're actually routing these over MPLS so there is a connection as well as a backup VPN tunnel for redundancy of connection. The issue I had was thinking of ACL's from an L2 perspective rather than L3. Inbound ACL's are inbound to the routing instance not the L2 Interface and Outbound is outbound of the routing instance. Once I was able to grasp this and diagram I was able to get the ACL's working correctly.

Thanks for the reply!