ā04-07-2021 10:08 PM
Hi teams
can you write command on extreme to do same bellow command
ip access-list extended 100
10 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
11 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255
12 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
int eth 49
ip access-group 100 out
Solved! Go to Solution.
ā04-08-2021 10:39 AM
Btw I was recently thinking about different ways to provide local subnets isolation (besides Policy or port isolation that can be done on an access switch, but the router is the one to isolate between vlans). I have enumerated few ways to achieve this. Iām curious to know other peopleās point of view on this, letās keep it without a new topic as I donāt think itās needed.
Scenario: 1, 10, 100 subnets with employees of different departments and devices of different purposes, separated with VLANs; they are supposed to reach the Internet and/or DC and/or printers VLAN but not to communicate internally with other departments, CCTV VLAN or else. Least-privilege (zero trust?) approach is to be applied.
Possible solutions IMHO:
Which approach would you guys recommend on a router? One of these or something else? Or dropping inter-subnet traffic between employee departments right away on the access switch with Policy (simplest case would be to create an Automated Service I think, but needs to be different for each department to not block hostās own subnet communication if we need it for any reason)?
Thanks,
Tomasz
ā04-08-2021 10:39 AM
Btw I was recently thinking about different ways to provide local subnets isolation (besides Policy or port isolation that can be done on an access switch, but the router is the one to isolate between vlans). I have enumerated few ways to achieve this. Iām curious to know other peopleās point of view on this, letās keep it without a new topic as I donāt think itās needed.
Scenario: 1, 10, 100 subnets with employees of different departments and devices of different purposes, separated with VLANs; they are supposed to reach the Internet and/or DC and/or printers VLAN but not to communicate internally with other departments, CCTV VLAN or else. Least-privilege (zero trust?) approach is to be applied.
Possible solutions IMHO:
Which approach would you guys recommend on a router? One of these or something else? Or dropping inter-subnet traffic between employee departments right away on the access switch with Policy (simplest case would be to create an Automated Service I think, but needs to be different for each department to not block hostās own subnet communication if we need it for any reason)?
Thanks,
Tomasz
ā04-08-2021 10:18 AM
Hi,
Youāll have to put that whole input (entry {...}) into a .pol file. Either on your computer and then upload to the switch, or edit locally on the switch by doing āedit policy ACL-NAMEā according to Stefanās syntax to apply that ACL. This built-in editor is Vim like in Linux machines, so to start typing you have to press āaā or āiā, and when youāre done you should press [esc] and ā:wqā to write and quit the editor.
Hope that helps,
Tomasz
ā04-08-2021 09:52 AM
Thank you for reply and help
I tried but this command not support on the switch coming message
entry one {
Invalid input detected
ā04-08-2021 06:40 AM
Hi,
maybe this article would help you: https://extremeportal.force.com/ExtrArticleDetail?an=000083345&q=ACL
Your ACL needs to look something like this:
entry one {
if match all {
source-address 192.168.6.0/24;
destination-address 192.168.2.0/24;
} then {
deny;
}
}
entry two {
if match all {
source-address 192.168.6.0/24;
destination-address 192.168.5.0/24;
} then {
deny;
}
}
(Traffic that doesnāt match a rule is allowed)
Then you need to apply this ACL to an port or VLAN, for example:
configure access-list ACL-NAME port 49 ingress
or
configure access-list ACL-NAME vlan YOURVLAN ingress
Some more information about ACLs: