This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: ACL and IP forwarding between VLANs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ACL and IP forwarding between VLANs
ACL and IP forwarding between VLANs
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:53 PM
Create Date: Jun 20 2012 5:48AM
Hi,
On a Black Diamond (aka Aspen) 8810 (with EXOS 12.1) , I have a VLAN (let's call it "isolated") that i would like isolated from all other VLANs except for a few specific hosts. Only for those hosts belonging to other VLANs the traffic should be routed.
My first idea is to enable ipforwarding for this VLAN "isolated" (ipforwarding is already enabled for all other VLANs) and configure ACLs on this VLAN that permit packets to and from the few specific authorized hosts, and a default ACL that matches everything else and denies all packets.
But this won't work since on this model ACL are only possible for ingress traffic, so it will drop all traffic from any VLAN to VLAN "isolated", but it won't drop traffic from VLAN "isolated" to other VLANs. I don't like it from the security point of view.
Is there a way to do that? I'm far from being a network expert, but isn't it a very common need?
Thanks in advance
Matthieu
(from matthieu_imbert)
Hi,
On a Black Diamond (aka Aspen) 8810 (with EXOS 12.1) , I have a VLAN (let's call it "isolated") that i would like isolated from all other VLANs except for a few specific hosts. Only for those hosts belonging to other VLANs the traffic should be routed.
My first idea is to enable ipforwarding for this VLAN "isolated" (ipforwarding is already enabled for all other VLANs) and configure ACLs on this VLAN that permit packets to and from the few specific authorized hosts, and a default ACL that matches everything else and denies all packets.
But this won't work since on this model ACL are only possible for ingress traffic, so it will drop all traffic from any VLAN to VLAN "isolated", but it won't drop traffic from VLAN "isolated" to other VLANs. I don't like it from the security point of view.
Is there a way to do that? I'm far from being a network expert, but isn't it a very common need?
Thanks in advance
Matthieu
(from matthieu_imbert)
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:54 PM
Create Date: Jun 22 2012 12:11AM
Would it be possible to tackle this problem in a different way: instead of using ACLs to isolate the VLAN, could I explicitely remove the routes automatically added when I enable ipforwarding on this VLAN, and then re-enable only the few routes to the specific hosts which are authorized to talk to the VLAN?
What do you think?
Matthieu
(from matthieu_imbert)
Would it be possible to tackle this problem in a different way: instead of using ACLs to isolate the VLAN, could I explicitely remove the routes automatically added when I enable ipforwarding on this VLAN, and then re-enable only the few routes to the specific hosts which are authorized to talk to the VLAN?
What do you think?
Matthieu
(from matthieu_imbert)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:54 PM
Create Date: Jun 20 2012 8:32AM
Hi Prusso, thanks for your answer, it makes sense.
I came to the same conclusion: i need to create as many ACL as there are networks.
I hoped that there could be another way, because I have a lot of networks. Also the network addressing scheme will evolve in the future, some networks can be added or modified, and I or other admins will always have to remember to update the ACLs accordingly, which is a recipe for security holes.
i tried to imagine a way with two ACL configured for all ports, which would drop all packets with source or destination in the isolated vlan, but this would require being able to negate a match in the ACL syntax, something like:
entry block-to-isolated {
if {
source-address 2.2.2.0/24;
destination-address NOT 2.2.2.0/24;
} then {
deny;
}
}
entry block-from-isolated {
if {
destination-address 2.2.2.0/24;
source-address NOT 2.2.2.0/24;
} then {
deny;
}
}
indeed it seems i'm stuck with the "as many ACL as networks" solution (i don't say "as many ACL as vlans" because i have more networks than vlans)
Matthieu
(from matthieu_imbert)
Hi Prusso, thanks for your answer, it makes sense.
I came to the same conclusion: i need to create as many ACL as there are networks.
I hoped that there could be another way, because I have a lot of networks. Also the network addressing scheme will evolve in the future, some networks can be added or modified, and I or other admins will always have to remember to update the ACLs accordingly, which is a recipe for security holes.
i tried to imagine a way with two ACL configured for all ports, which would drop all packets with source or destination in the isolated vlan, but this would require being able to negate a match in the ACL syntax, something like:
entry block-to-isolated {
if {
source-address 2.2.2.0/24;
destination-address NOT 2.2.2.0/24;
} then {
deny;
}
}
entry block-from-isolated {
if {
destination-address 2.2.2.0/24;
source-address NOT 2.2.2.0/24;
} then {
deny;
}
}
indeed it seems i'm stuck with the "as many ACL as networks" solution (i don't say "as many ACL as vlans" because i have more networks than vlans)
Matthieu
(from matthieu_imbert)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:54 PM
Create Date: Jun 20 2012 8:25AM
(from matthieu_imbert)
(from matthieu_imbert)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-07-2014 09:53 PM
Create Date: Jun 20 2012 7:54AM
Hey Matthieu
I think the thing that is missing is that the ACLs in XOS are not stateful ACLs like you have in a router. If you need to restrict traffic in both directions then you need ACLs from/to all VLANs.
For example subnet 1 is 1.1.1.0/24 and subnet 2 is 2.2.2.0/24. If I have an ACL that sees source of 1.1.1.1 going to 2.2.2.1 and I deny it that does not mean 2.2.2.1 can't send a packet back to 1.1.1.1. What it will do is stop the connection because any ack packets from 1.1.1.1 to set up the connection will be blocked so you should not see any IP connections being built but that does mean that 2.2.2.1 can't send DoS packets or something.
If you need to restrict all packets then you would need a second ACL entry denying 2.2.2.1 talking to 1.1.1.1
Hope that makes sense
P (from Paul_Russo)
Hey Matthieu
I think the thing that is missing is that the ACLs in XOS are not stateful ACLs like you have in a router. If you need to restrict traffic in both directions then you need ACLs from/to all VLANs.
For example subnet 1 is 1.1.1.0/24 and subnet 2 is 2.2.2.0/24. If I have an ACL that sees source of 1.1.1.1 going to 2.2.2.1 and I deny it that does not mean 2.2.2.1 can't send a packet back to 1.1.1.1. What it will do is stop the connection because any ack packets from 1.1.1.1 to set up the connection will be blocked so you should not see any IP connections being built but that does mean that 2.2.2.1 can't send DoS packets or something.
If you need to restrict all packets then you would need a second ACL entry denying 2.2.2.1 talking to 1.1.1.1
Hope that makes sense
P (from Paul_Russo)
