This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Re: Access list deny VLANs communications
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Access list deny VLANs communications
Access list deny VLANs communications
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-27-2014 01:08 AM
Hi Guys,
I've never applied and access list on Extreme Networks switches. I need to know how to apply a upload a ACL to a Black Daimond. I have about 10 VLANs
I Need need:
1.- Permit all access on the same VLAN
2.- Permit all access to some servers
3.- Deny communications between VLANs
I have read the concept guide some things however I need to make sure because we are going to apply this ACL on production time.
I've never applied and access list on Extreme Networks switches. I need to know how to apply a upload a ACL to a Black Daimond. I have about 10 VLANs
I Need need:
1.- Permit all access on the same VLAN
2.- Permit all access to some servers
3.- Deny communications between VLANs
I have read the concept guide some things however I need to make sure because we are going to apply this ACL on production time.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-08-2019 06:25 PM
Hi,
I am not an expert on this but you should need a stateful firewall to achieve this. Because when you deny vlan2 to vlan1 communication, it will also break the communications from vlan1 to vlan2 as the returning packets will be blocked.
Regards,
Rahman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-03-2019 12:42 PM
Hi ,
I have secnario like below:
whats policy to do that?
permit vl1 to comunicate vl2 but deny vl2 comunicate vl1.
thanks
I have secnario like below:
whats policy to do that?
permit vl1 to comunicate vl2 but deny vl2 comunicate vl1.
thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-27-2014 12:13 PM
Hey Jorge
One more thing you can copy and paste these into a txt document with the .pol extension then tftp that file to the switch. From there you use the command create access-list command.
You can test this using the XOS VM before you apply it to the production network.
P
One more thing you can copy and paste these into a txt document with the .pol extension then tftp that file to the switch. From there you use the command create access-list command.
You can test this using the XOS VM before you apply it to the production network.
P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-27-2014 12:12 PM
Hello Jorge
There are two ways to do this you can either keep the explicit permit that is the default of the ACLs and just put a deny for each VLAN to VLAN or reverse it.
For example if you have 3 VLANs VL1, VL2 VL3 and they are in subnets 192.168.1.x, 2.x and 3.x respective then you can just have the deny statements like
entry Vlan_traffic1 {
if match all {
source-address 192.168.1.0/24;
Destination-Address 192.168.2.0/24;
}
then {
count Corp_Vlan_Traffic1 ;
deny ;
}
}
entry Vlan_traffic2 {
if match all {
source-address 192.168.2.0/24;
Destination-Address 192.168.1.0/24;
}
then {
count Corp_Vlan_Traffic2 ;
deny ;
}
}
entry Vlan_traffic3 {
if match all {
source-address 192.168.2.0/24;
Destination-Address 192.168.3.0/24;
}
then {
count Corp_Vlan_Traffic3 ;
deny ;
}
}
entry Vlan_traffic4 {
if match all {
source-address 192.168.3.0/24;
Destination-Address 192.168.2.0/24;
}
then {
count Corp_Vlan_Traffic4 ;
deny ;
}
}
entry Vlan_traffic5 {
if match all {
source-address 192.168.1.0/24;
Destination-Address 192.168.3.0/24;
}
then {
count Corp_Vlan_Traffic5 ;
deny ;
}
}
entry Vlan_traffic6 {
if match all {
source-address 192.168.3.0/24;
Destination-Address 192.168.1.0/24;
}
then {
count Corp_Vlan_Traffic6;
deny ;
}
}
Everything else that is not a hit on these statements will go through. If you then need them to be permitted to specific Servers then do the same thing but put the host address of the server /32
I hope that helps.
P
There are two ways to do this you can either keep the explicit permit that is the default of the ACLs and just put a deny for each VLAN to VLAN or reverse it.
For example if you have 3 VLANs VL1, VL2 VL3 and they are in subnets 192.168.1.x, 2.x and 3.x respective then you can just have the deny statements like
entry Vlan_traffic1 {
if match all {
source-address 192.168.1.0/24;
Destination-Address 192.168.2.0/24;
}
then {
count Corp_Vlan_Traffic1 ;
deny ;
}
}
entry Vlan_traffic2 {
if match all {
source-address 192.168.2.0/24;
Destination-Address 192.168.1.0/24;
}
then {
count Corp_Vlan_Traffic2 ;
deny ;
}
}
entry Vlan_traffic3 {
if match all {
source-address 192.168.2.0/24;
Destination-Address 192.168.3.0/24;
}
then {
count Corp_Vlan_Traffic3 ;
deny ;
}
}
entry Vlan_traffic4 {
if match all {
source-address 192.168.3.0/24;
Destination-Address 192.168.2.0/24;
}
then {
count Corp_Vlan_Traffic4 ;
deny ;
}
}
entry Vlan_traffic5 {
if match all {
source-address 192.168.1.0/24;
Destination-Address 192.168.3.0/24;
}
then {
count Corp_Vlan_Traffic5 ;
deny ;
}
}
entry Vlan_traffic6 {
if match all {
source-address 192.168.3.0/24;
Destination-Address 192.168.1.0/24;
}
then {
count Corp_Vlan_Traffic6;
deny ;
}
}
Everything else that is not a hit on these statements will go through. If you then need them to be permitted to specific Servers then do the same thing but put the host address of the server /32
I hope that helps.
P
