topic RE: static ACL question - block traffic vlan1 to vlan2 with exceptions in ExtremeSwitching (EXOS/Switch Engine)

static ACL question - block traffic vlan1 to vlan2 with exceptions

EtherNation_Use — Wed, 08 Jan 2014 06:51:00 GMT

Create Date: Jul 24 2013 3:10PM

I have 2 vlans with both VRRP enabled and share the default gateway (firewall).

VLAN1 - not allowed to access VLAN2 (with exception DNS server and default GW)
VLAN2 - no restrictions to VLAN1

policy:

entry VLAN1-to-VLAN2-GW {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/24 ;
} then {
permit ;
}
}

entry VLAN1-to-VLAN2-DNS {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/24 ;
protocol tcp ;
source-port 53;
protocol udp ;
source-port 53;

} then {
permit ;
}
}

entry VLAN1-to-VLAN2-OTHER {
if {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.0/24 ;
} then {
deny ;
}
}

Policy check was successfull.
I add this ACL/policy to a port/egress with laptop connected to that port (VLAN1 - 10.99.35.105) . But I can still access all servers in VLAN2.

Can you please check if I oversee something? XOS ACL are pretty new for me.
(from LNU)

RE: static ACL question - block traffic vlan1 to vlan2 with exceptions

EtherNation_Use — Wed, 08 Jan 2014 06:51:00 GMT

Create Date: Jul 25 2013 12:05PM

You could try something like this:

entry VLAN1-to-VLAN2-GW {
if match all {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.254/32 ;
}
then {
permit ;
count VL1-VL2-GW
}
}
entry VLAN1-to-VLAN2-DNS {
if match all {
source-address 10.99.35.0/24 ;
destination-address 10.99.36.101/32 ;
source-port 53;
}
then {
permit ;
count VL1-VL2-DNS
}
}
entry VLAN2 {
if match all {
source-address 10.99.36.0/24 ;
}
then {
permit ;
count VL2
}
}
entry EverythingElse {
if match all {
}
then {
deny ;
count Deny;
}
}

With "show access-list counter" you can see packets hitting specific rule.
Configure acl on ingress port (where your laptop is connected).
(from Marjan_Rancic)

RE: static ACL question - block traffic vlan1 to vlan2 with exceptions

EtherNation_Use — Wed, 08 Jan 2014 06:51:00 GMT

Create Date: Jul 26 2013 11:14AM

thanks, but its not working.

If permitting matches, everything is permitted.
If deny all other and permitting matches, everything is denied.
(from LNU)

RE: static ACL question - block traffic vlan1 to vlan2 with exceptions

Frank — Fri, 04 Apr 2014 20:47:00 GMT

Try this part:

...
entry EverythingElse {
if match all {
source-address 0.0.0.0/0;
}
then {
deny ;
count Deny;
}
}

I just finished fighting a similar issue. Without specifying "source anywhere", it denies everything.

In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.

I'll start a thread on that...

RE: static ACL question - block traffic vlan1 to vlan2 with exceptions

Tamera_Rousseau — Fri, 04 Apr 2014 20:47:00 GMT

User had an additional question. Please reference the new topic here: I have multiple VLANs where I want to allow routing all VLANs to/from one particu...