This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

VDX 6740 - How to control L3 traffic flow between vlans - with ACLs?

Pawel_Eljasz
New Contributor II

‎02-19-2019 05:17 PM

hi guys

if I need to allow only certain nodes to access vlans behind VE iface do I do it with ACLs?

I think of that VE on VlanZ as a gateway to those nodes, through which the nodes would get to other Vlans.

Would I need to construct ACLs with all the subnets & hosts or there is another, simpler way?

And if yes, them I'm trying but... I fail. How would such a rule look like?
I'm trying something obvious:

deny ip any 10.5.8.0 255.255.255.0

then apply it to the VE iface as ingress, but... nodes which have VE's IP as the gateway to 10.5.8.0/24 still get there.

many thanks.
0 Kudos
6 REPLIES 6

Truyen_Phan
Extreme Employee

‎02-20-2019 11:01 PM

Can you try using hard-drop instead?

code:
device(config)# ip access-list extended ipv4-acl-example
device(conf-ipacl-ext)# hard-drop ip any 10.5.8.0 255.255.255.0


It's not clear on how you want to block the traffic. You want to apply the ACL at the VE to block hosts which are using that VE as their gateway from talking to other hosts on the same subnet?

Also, please provide a bit more details ( hosts source and destination IP and topology).
0 Kudos

Pawel_Eljasz
New Contributor II

‎02-20-2019 02:29 PM

Or for such purposes ACL is not enough and Policy-Based Routing is necessary?
0 Kudos
GTM-P2G8KFN