topic ACL one way in ExtremeSwitching (EXOS/Switch Engine)

ACL one way

Kamal_FIKRI — Thu, 14 Apr 2016 14:53:00 GMT

Hello,
I need to create an access list based on subnet IP source and destination and applied in a VLAN interface, the ACL work fine when we need to block all traffic, but when we try to block the traffic in one way like reflexive ACL in Cisco it doesn't work, here is my ACL:
entry DenyInterVlanRouting {
if match all {
source-address 10.10.1.110/32;
destination-address 10.10.128.245/32;
}
then {
deny ;
}
}
I want to block only from 10.10.1.110 to 10.10.128.245 and allow in the return path.

RE: ACL one way

Senguttuvan__Ar — Thu, 14 Apr 2016 15:32:00 GMT

Hi,

If you want to allow the return traffic, then, you need to have another rule like below on the same policy file:

entry Permit_return{
if match all {
source-address 10.10.128.245/32 ;
destination-address 10.10.1.110/32;
}
then {
permit;
}
}

RE: ACL one way

Kamal_FIKRI — Thu, 14 Apr 2016 15:46:00 GMT

Hi Senguttuvan,
Thank's for the replay,
I tried this one, but the traffic still dropped in both way, here is my new ACL:

entry DenyVlanDefault {
if match all {
source-address 10.10.10.58/32;
destination-address 10.10.128.20/32;
}then{
deny;
}
}
entry permit {
if match all {
source-address 10.10.128.20/32;
destination-address 10.10.10.58/32;
}
then{
permit;
}
}

I apply it in Default vlan interface ingress

RE: ACL one way

Kamal_FIKRI — Thu, 14 Apr 2016 15:47:00 GMT

Note: I changed IP address for test

RE: ACL one way

Senguttuvan__Ar — Thu, 14 Apr 2016 15:53:00 GMT

Hi Kamal,

I am sorry, I missed the part that you are applying this policy on a VLAN and in ingress direction.

I would like to know following information:

1. On which VLAN this IP resides 10.10.128.20/32;? I believe the IP 10.10.10.58 is on VLAN Default right?
2. How are you validating that the traffic with source 10.10.128.20 and destination 10.10.10.58 are getting forwarded to the device properly when the return traffic is blocked.
3. What are the ports these devices are connected to on the switch?

Regards,
Arun

RE: ACL one way

Kamal_FIKRI — Thu, 14 Apr 2016 16:02:00 GMT

Hi,
I have a summit L3 as core switch with multiple Vlan, the vlan interface 128 have IP 10.10.128.1/24 and is the gateway for 10.10.128.20 and the 10.10.10.58 is in the default vlan

RE: ACL one way

Senguttuvan__Ar — Thu, 14 Apr 2016 16:06:00 GMT

How are you validating that the traffic with source 10.10.128.20 and destination 10.10.10.58 are getting forwarded to the device properly when the return traffic is blocked.

Do you have any other rule in the policy apart from the deny rule?

Could you create a new policy with following rule:

entry permit {
if match all {
source-address 10.10.128.20/32;
destination-address 10.10.10.58/32;
}
then{
permit;
}
}

and apply as ingress on VLAN 128 and verify if it works.

RE: ACL one way

Kamal_FIKRI — Thu, 14 Apr 2016 16:16:00 GMT

for your question, my goal is to block traffic from 10.10.10.58 to 10.10.128.20 and allow 10.10.128.20 to 10.10.10.58. i can ping between theme when there is no ACL, this is how i validate that traffic is forwarded in the Switch,
I tried to make a second ACL to permit ingress traffic in 128 vlan interface but it still blocked

RE: ACL one way

Senguttuvan__Ar — Thu, 14 Apr 2016 16:22:00 GMT

Ping might not work because you are blocking the return traffic.

I prefer you open a case with TAC.

RE: ACL one way

Kamal_FIKRI — Thu, 14 Apr 2016 16:30:00 GMT

Can i make inter vlan isolation, i mean block communication using vlan id with some exception ?

Re: ACL one way

Giuseppe_Montan — Thu, 15 Jun 2023 09:16:37 GMT

Hi, did you fint a way to solve this issue ?

Giuseppe