cancel
Showing results for 
Search instead for 
Did you mean: 

Access list deny VLANs communications

Access list deny VLANs communications

Jorge3
New Contributor
Hi Guys,

I've never applied and access list on Extreme Networks switches. I need to know how to apply a upload a ACL to a Black Daimond. I have about 10 VLANs

I Need need:

1.- Permit all access on the same VLAN
2.- Permit all access to some servers
3.- Deny communications between VLANs

I have read the concept guide some things however I need to make sure because we are going to apply this ACL on production time.

4 REPLIES 4

Rahman_Duran
Contributor II

Hi,

I am not an expert on this but you should need a stateful firewall to achieve this. Because when you deny vlan2 to vlan1 communication, it will also break the communications from vlan1 to vlan2 as the returning packets will be blocked.

Regards,

Rahman

Nadir
New Contributor
Hi ,
I have secnario like below:
whats policy to do that?
permit vl1 to comunicate vl2 but deny vl2 comunicate vl1.


thanks

Paul_Russo
Extreme Employee
Hey Jorge

One more thing you can copy and paste these into a txt document with the .pol extension then tftp that file to the switch. From there you use the command create access-list command.

You can test this using the XOS VM before you apply it to the production network.

P

Paul_Russo
Extreme Employee
Hello Jorge

There are two ways to do this you can either keep the explicit permit that is the default of the ACLs and just put a deny for each VLAN to VLAN or reverse it.

For example if you have 3 VLANs VL1, VL2 VL3 and they are in subnets 192.168.1.x, 2.x and 3.x respective then you can just have the deny statements like

entry Vlan_traffic1 {
if match all {
source-address 192.168.1.0/24;
Destination-Address 192.168.2.0/24;
}
then {
count Corp_Vlan_Traffic1 ;
deny ;
}
}
entry Vlan_traffic2 {
if match all {
source-address 192.168.2.0/24;
Destination-Address 192.168.1.0/24;
}
then {
count Corp_Vlan_Traffic2 ;
deny ;
}
}

entry Vlan_traffic3 {
if match all {
source-address 192.168.2.0/24;
Destination-Address 192.168.3.0/24;
}
then {
count Corp_Vlan_Traffic3 ;
deny ;
}
}
entry Vlan_traffic4 {
if match all {
source-address 192.168.3.0/24;
Destination-Address 192.168.2.0/24;
}
then {
count Corp_Vlan_Traffic4 ;
deny ;
}
}
entry Vlan_traffic5 {
if match all {
source-address 192.168.1.0/24;
Destination-Address 192.168.3.0/24;
}
then {
count Corp_Vlan_Traffic5 ;
deny ;
}
}

entry Vlan_traffic6 {
if match all {
source-address 192.168.3.0/24;
Destination-Address 192.168.1.0/24;
}
then {
count Corp_Vlan_Traffic6;
deny ;
}
}

Everything else that is not a hit on these statements will go through. If you then need them to be permitted to specific Servers then do the same thing but put the host address of the server /32

I hope that helps.

P

GTM-P2G8KFN