topic RE: Question about dynamic ACL in ExtremeSwitching (EXOS/Switch Engine)

Question about dynamic ACL

EtherNation_Use — Wed, 08 Jan 2014 06:50:00 GMT

Create Date: Jul 17 2012 6:36AM

Hi experts, I want to implement ACL in my work but I have a problem. I have 3 VLANs :

vlan 4 : administrative users
vlan 5: call center users
vlan 10 : servers

I want to block traffic from vlan 5 to vlan 4, but I dont want to block traffic from vlan 4 to vlan 5.

I did 2 dynamic ACL :

entry BlockTCP-to-172.17.4.0 {
if {
destination-address 172.17.4.0/24;
protocol tcp;
} then {
deny true;
}
}

entry BlockUDP-to-172.17.4.0 {
if {
destination-address 172.17.4.0/24;
protocol udp;
} then {
deny true;
}
}

These dynamic ACL, I applied to vlan 5 but the traffic is blocked in both directions.

Can anyone help me?

Sorry for my bad english language.

Regards

JL (from jonatan_lezcano)

RE: Question about dynamic ACL

EtherNation_Use — Wed, 08 Jan 2014 06:50:00 GMT

Create Date: Jul 18 2012 8:52AM

Hi johnadq,

try this:
entry BlockTCP-to-172.17.4.0
{if
{destination-address 172.17.4.0/24;
protocol tcp;
tcp-flags syn;
}
then
{
deny;
}
}

--
Jarek (from Jaroslaw_Kasjaniuk)

RE: Question about dynamic ACL

EtherNation_Use — Wed, 08 Jan 2014 06:50:00 GMT

Create Date: Jul 18 2012 3:58PM

Why don't you just go ahead and disable ipforwarding between the VLANs.

di ipforwarding (from Arpit_Bhatt)