https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-acl-for-block-inter-vlan-traffic/m-p/73625#M19120 <P>Hi all,</P><P>I need a advice from you regarding the acl configuration.</P><P>Scenario;</P><P>There are five VLANs names “Manage, VLAN1, VLAN2, VLAN3, VLAN4” All VLANs dhcp pools configured in core switch. Core is&nbsp;X460-24p stack.</P><P>My points are:</P><P>1). All traffic from VLAN 1-4 to Manage VLAN should be block.</P><P>2). Manage VLAN can be access other VLANs&nbsp;</P><P>3). VLAN3 and VLAN4 can not communicate each other and also can not access VLAN 1 and VLAN&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 2.</P><P>4). VLAN 1 and VLAN 2 can communicate each other.</P><P>&nbsp;</P><P>I created 5 different static ACLs as follow and apply each vlan as ingress. But those are not working and even there is no count.</P><P>entry denyUPC{<BR />&nbsp; &nbsp; &nbsp; &nbsp; if match all{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; source-address 10.10.10.254/24;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; destination-address 192.168.20.254/24;<BR />&nbsp; &nbsp; &nbsp; &nbsp; }<BR />&nbsp; &nbsp; &nbsp; &nbsp; then{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; count denyUPC;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; deny;<BR />&nbsp; &nbsp; &nbsp; &nbsp; }<BR />}</P><P>entry denyUPC1{<BR />&nbsp; &nbsp; &nbsp; &nbsp; if match all{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; source-address 172.16.100.254/24;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; destination-address 192.168.20.254/24;<BR />&nbsp; &nbsp; &nbsp; &nbsp; }<BR />&nbsp; &nbsp; &nbsp; &nbsp; then{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; count denyUPC;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; deny;<BR />&nbsp; &nbsp; &nbsp; &nbsp; }<BR />}</P><P>&nbsp;</P><P>Please help to solve this.</P><P>Thanks.</P><P>Gihan</P> Mon, 14 Sep 2020 12:31:57 GMT Gihan1 2020-09-14T12:31:57Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-acl-for-block-inter-vlan-traffic/m-p/73625#M19120 <P>Hi all,</P><P>I need a advice from you regarding the acl configuration.</P><P>Scenario;</P><P>There are five VLANs names “Manage, VLAN1, VLAN2, VLAN3, VLAN4” All VLANs dhcp pools configured in core switch. Core is&nbsp;X460-24p stack.</P><P>My points are:</P><P>1). All traffic from VLAN 1-4 to Manage VLAN should be block.</P><P>2). Manage VLAN can be access other VLANs&nbsp;</P><P>3). VLAN3 and VLAN4 can not communicate each other and also can not access VLAN 1 and VLAN&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 2.</P><P>4). VLAN 1 and VLAN 2 can communicate each other.</P><P>&nbsp;</P><P>I created 5 different static ACLs as follow and apply each vlan as ingress. But those are not working and even there is no count.</P><P>entry denyUPC{<BR />&nbsp; &nbsp; &nbsp; &nbsp; if match all{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; source-address 10.10.10.254/24;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; destination-address 192.168.20.254/24;<BR />&nbsp; &nbsp; &nbsp; &nbsp; }<BR />&nbsp; &nbsp; &nbsp; &nbsp; then{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; count denyUPC;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; deny;<BR />&nbsp; &nbsp; &nbsp; &nbsp; }<BR />}</P><P>entry denyUPC1{<BR />&nbsp; &nbsp; &nbsp; &nbsp; if match all{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; source-address 172.16.100.254/24;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; destination-address 192.168.20.254/24;<BR />&nbsp; &nbsp; &nbsp; &nbsp; }<BR />&nbsp; &nbsp; &nbsp; &nbsp; then{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; count denyUPC;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; deny;<BR />&nbsp; &nbsp; &nbsp; &nbsp; }<BR />}</P><P>&nbsp;</P><P>Please help to solve this.</P><P>Thanks.</P><P>Gihan</P> Mon, 14 Sep 2020 12:31:57 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-acl-for-block-inter-vlan-traffic/m-p/73625#M19120 Gihan1 2020-09-14T12:31:57Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-acl-for-block-inter-vlan-traffic/m-p/73626#M19121 <P>Hi,</P><P>EXOS ACLs are evaluated in order and have an implicit permit at the end. So, two entries will be necessary--one to deny traffic from each source subnet to each destination subnet. All other traffic (i.e. internet traffic) will be permitted:</P><P>&nbsp;</P><P>Below is an article that describes it in more detail:</P><P><A href="https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-use-an-ACL-to-prevent-inter-VLAN-traffic-for-internal-subnets-but-allow-internet-traffic" target="_blank" rel="nofollow noreferrer noopener">How to use an ACL to prevent inter-VLAN traffic for internal subnets but allow internet traffic</A></P><P>&nbsp;</P><P>Thanks,</P><P>Chris Thompson</P> Sat, 26 Sep 2020 02:16:34 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-acl-for-block-inter-vlan-traffic/m-p/73626#M19121 CThompsonEXOS 2020-09-26T02:16:34Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-acl-for-block-inter-vlan-traffic/m-p/73627#M19122 <P>as far as I remember EXOS ACLs are working at the port as well as you apply it on a vlan. This means, you need to permit traffic inside of each vlan too, if you have an explicit “deny any” at the end.</P><P>Also ACLs are not statefull. So in Case of 2. - You can’t permit Manage to access VLAN 1-4 if other direction is denied (1.).</P><P>You should have a look to “private vlan” function. - I think this should have more sense for you.&nbsp;</P> Sun, 27 Sep 2020 16:25:23 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-acl-for-block-inter-vlan-traffic/m-p/73627#M19122 PeterK 2020-09-27T16:25:23Z