This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Pawel_Eljasz
New Contributor II

‎02-19-2019 05:17 PM

hi guys

if I need to allow only certain nodes to access vlans behind VE iface do I do it with ACLs?

I think of that VE on VlanZ as a gateway to those nodes, through which the nodes would get to other Vlans.

Would I need to construct ACLs with all the subnets & hosts or there is another, simpler way?

And if yes, them I'm trying but... I fail. How would such a rule look like?
I'm trying something obvious:

deny ip any 10.5.8.0 255.255.255.0

then apply it to the VE iface as ingress, but... nodes which have VE's IP as the gateway to 10.5.8.0/24 still get there.

many thanks.
0 Kudos
6 REPLIES 6

Truyen_Phan
Extreme Employee

‎02-24-2019 07:45 PM

When configuring ACLs on the VDX, the wildcard mask is inverted from the subnet mask.

https://en.wikipedia.org/wiki/Wildcard_mask
0 Kudos

Pawel_Eljasz
New Contributor II

‎02-23-2019 01:19 PM

What monstrosity is that?
How to read this notation?
0 Kudos

Truyen_Phan
Extreme Employee

‎02-22-2019 09:54 AM

I just realized that your wild card mask has the wrong syntax.

Please try this ACL to block subnet 10.5.8.0 /24 and 10.5.7.0/24

code:
ip access-list extended protect-VLANs
seq 10 permit ip host 192.168.2.144 any
seq 50 deny ip any 10.5.8.0 0.0.0.255
seq 51 deny ip any 10.5.7.0 0.0.0.255
seq 90 permit ip any any
0 Kudos

Pawel_Eljasz
New Contributor II

‎02-21-2019 11:53 AM

Tried hard-drop, did not work neither.

Again: "I think of that VE on VlanZ as a gateway to those nodes, through which the nodes would get to other Vlans."

Anything that travels to & through VE(which nodes would claim as the gateway). Ex.:

code:
ip access-list extended protect-VLANs
seq 10 permit ip host 192.168.2.144 any
seq 50 deny ip any 10.5.8.0 255.255.255.0
seq 51 deny ip any 10.5.7.0 255.255.255.0
seq 90 permit ip any any


Replace deny with hard-drop, apply this ACL to VE and still nodes from 192.168.2.0/24 gets to nodes in/from vlan subnet 10.5.8.0.
That VE in physical layer is a port group(two phys ports) which link to the "rest" of the world.

Either it's some bug or ACLs cannot do that on their own, by design, and something else must along with ACLs must be fixed. Maybe PBR...

I also thought that ACLs would just work. I come from, still use, Dell and there (slightly older PC62xx) it's only ACLs you need to do the trick.
0 Kudos
GTM-P2G8KFN