topic Re: ACL operation to stop client vlans routing to each other within a VR though still have access to P2pL inks and access to teh firewall in ExtremeSwitching (EXOS/Switch Engine)

ACL operation to stop client vlans routing to each other within a VR though still have access to P2pL inks and access to teh firewall

Rod_Robertson — Fri, 18 Dec 2020 18:27:32 GMT

I have a requiremment :

The server vlans with a VR with enable forwarding configured, should not be able to communicate with each other, though as this is VR there are a number of P2p network through the infrastructure , to get this VR to the firewall where , the FW acts as the extrenal router and access to other FW and other Vr’s , and ultimatly the internet , for all the configured vlans within the VR.

MY first though is to create an ACL that is basically for the vlans I do not want to communicate with each other , if the network is not listed in this ACL they should still be able to access each other

Entry Deny_ VlanA_B {

if{

source-address 192.168.20.0/16;

destination-address 192.168.30.0/24;

}

Then {

deny ;

count Deny_VlanA_B ;

]

}

Of course then add the other client vlans in this VR..

Assuming this is correct , I have no hardware to test untill I get to site ( remotly )

1 . is the proposed acl correct for what I want to achieve ?

Do I need a return statement ? ie the other way round from B to A
Is this acl added to the VR as configure access-list xxx any ingress
Or is thsi a global ie VR-default command.

Re: ACL operation to stop client vlans routing to each other within a VR though still have access to P2pL inks and access to teh firewall

Stefan_K_ — Fri, 18 Dec 2020 18:36:03 GMT

Hi,

are you sure that you mean 192.168.20.0/16? I think it should be /24, otherwise… well… 🙂

Yes, imo this is correct.
I would also block the other way round. With your ACL 192.168.30.0/24 could send packets to 192.168.20.0/24, but the reply packets would be blocked.
This ACL needs to be configured to interface (port or vlan): configure access-list ACLNAME [port|vlan] [ingress|egress]

Regards

Stefan

Re: ACL operation to stop client vlans routing to each other within a VR though still have access to P2pL inks and access to teh firewall

Rod_Robertson — Fri, 18 Dec 2020 19:05:53 GMT

Stefan

oopps yest its a /24 …

Thanks for the confirmation , I been doing extreme for a nunber of years , though in the clients I look after acl , like thsi do not normally come about hense the question, thanks for the prompt response..