https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68765#M18599 <P><USER-MENTION data-id="9898672">@Stefan K.</USER-MENTION>&nbsp;</P><P>&nbsp;</P><P>Something like this;</P><P>entry 1 {<BR />if match all {<BR />destination-address 10.0.0.0/8 ;<BR />}<BR />then {<BR />deny ;<BR />count deny ;<BR />}<BR />}<BR />entry 2 {<BR />if match all {<BR />destination-address 172.16.0.0/12 ;<BR />}<BR />then {<BR />deny ;<BR />count deny ;<BR />}<BR />}<BR />entry 3 {<BR />if match all {<BR />destination-address 192.168.0.0/16&nbsp;;<BR />}<BR />then {<BR />deny ;<BR />count deny ;<BR />&nbsp;</P><P>Applied to a VLAN on Egress, lets say VLAN100, if i have two clients configured on the same switch that is doing the L3 they cannot communicate with each other…. i’ve never had this with Cisco\HP\Dell.</P><P>&nbsp;</P><P>The only way i can then get it to work is with an additional entry of;</P><P>if match all {<BR />source-address 192.168.1.0/24 ;<BR />destination-address 192.168.1.0/24 ;<BR />}<BR />then {<BR />permit ;<BR />}<BR />}</P><P>&nbsp;</P><P>Having the an ACL blocking access to the RFC1918 subnets also blocks routing protocols like VRRP, but i have seen another article on that and that only seems to really effect the likes of VRRP if the ACL is on Ingress.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 Feb 2021 22:52:12 GMT RobertWilkinson 2021-02-10T22:52:12Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68763#M18597 <P>Anyone else got an issue with clients communicating with each other on the same&nbsp;subnet if deploying an ACL Policy on egress of a VLAN.</P><P>In Cisco world a normal RFC1918 ACL Egressing the VLAN&nbsp;is sufficient for a guest network, clients can still communicate with each other but this can be additionally adjusted with an ACL.</P><P>&nbsp;</P><P>It seems in EXOS as soon as you define an ACL it enables a type of Client Isolation and the only way around this would be to specifically allow client&nbsp; to client config via an additional rule to allow egress traffic of the whole subnet.</P> Wed, 10 Feb 2021 20:10:50 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68763#M18597 RobertWilkinson 2021-02-10T20:10:50Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68764#M18598 <P>Could you show us the ACL you created?&nbsp;</P> Wed, 10 Feb 2021 22:16:22 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68764#M18598 Stefan_K_ 2021-02-10T22:16:22Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68765#M18599 <P><USER-MENTION data-id="9898672">@Stefan K.</USER-MENTION>&nbsp;</P><P>&nbsp;</P><P>Something like this;</P><P>entry 1 {<BR />if match all {<BR />destination-address 10.0.0.0/8 ;<BR />}<BR />then {<BR />deny ;<BR />count deny ;<BR />}<BR />}<BR />entry 2 {<BR />if match all {<BR />destination-address 172.16.0.0/12 ;<BR />}<BR />then {<BR />deny ;<BR />count deny ;<BR />}<BR />}<BR />entry 3 {<BR />if match all {<BR />destination-address 192.168.0.0/16&nbsp;;<BR />}<BR />then {<BR />deny ;<BR />count deny ;<BR />&nbsp;</P><P>Applied to a VLAN on Egress, lets say VLAN100, if i have two clients configured on the same switch that is doing the L3 they cannot communicate with each other…. i’ve never had this with Cisco\HP\Dell.</P><P>&nbsp;</P><P>The only way i can then get it to work is with an additional entry of;</P><P>if match all {<BR />source-address 192.168.1.0/24 ;<BR />destination-address 192.168.1.0/24 ;<BR />}<BR />then {<BR />permit ;<BR />}<BR />}</P><P>&nbsp;</P><P>Having the an ACL blocking access to the RFC1918 subnets also blocks routing protocols like VRRP, but i have seen another article on that and that only seems to really effect the likes of VRRP if the ACL is on Ingress.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 Feb 2021 22:52:12 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68765#M18599 RobertWilkinson 2021-02-10T22:52:12Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68766#M18600 <P>Turns out it works on Ingress on the VLAN, Cisco and Enterasys is the opposite way. All sorted now.</P><P>&nbsp;</P><P>Still have to have an entry that has the L2 subnet as a source and destination to allow clients to reach each other but not a major issue, just not usual behavior for other vendor ACL’s.</P> Mon, 29 Mar 2021 23:22:05 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-22-7-x-x-acl-preventing-layer-2-communication-between/m-p/68766#M18600 RobertWilkinson 2021-03-29T23:22:05Z