cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

ACLs Extended Deny subnet to access other subnet and allow others

ACLs Extended Deny subnet to access other subnet and allow others

Moathsaed
New Contributor

Hi teams

can you write command on extreme to do same bellow command

ip access-list extended 100
10 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
11 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

12 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

int eth 49
ip access-group 100 out

1 ACCEPTED SOLUTION

Tomasz
Valued Contributor II

Btw I was recently thinking about different ways to provide local subnets isolation (besides Policy or port isolation that can be done on an access switch, but the router is the one to isolate between vlans). I have enumerated few ways to achieve this. Iā€™m curious to know other peopleā€™s point of view on this, letā€™s keep it without a new topic as I donā€™t think itā€™s needed.

Scenario: 1, 10, 100 subnets with employees of different departments and devices of different purposes, separated with VLANs; they are supposed to reach the Internet and/or DC and/or printers VLAN but not to communicate internally with other departments, CCTV VLAN or else. Least-privilege (zero trust?) approach is to be applied.

Possible solutions IMHO:

  • ACL with explicit dst rules for each IP subnets that are to be denied applied to these ā€œuserā€ VLANs (ACL permits a packet if not matched any entry so Internet would be reachable) - this approach requires lots of entries in bigger scale network, even worse if weā€™d like to build explicit src+dst pairs of matching criteria;
  • ACL with destination-zone as a criteria instead of destination-address - just one entry (which is then split by EXOS when implementing in hardware), zones (sets of address/mask) are defined manually thru CLI - much simpler; in both approaches we donā€™t have to differentiate banned destinations for each local subnet, it can be the same ACL file for each concerned VLAN because we donā€™t care if the router blocks traffic from/to the same network (as it is going to work without routerā€™s participation in the traffic path anyway);
  • ACL with single destination address deny but with shorter netmask - a trick possible if local subnets are consistently addressed; again, applied on local vlans (not entire switch; to apply any of these to the entire switch and let the DC or anything else be able to reach local subnets, weā€™d have to apply explicit permit on those service vlans - then vlan-based ACL has higher precedence than switch-wide ACL);
  • VLAN Isolation - didnā€™t play with this one yet but itā€™s told to be an equivalent of port isolation at a VLAN level on a gateway;

Which approach would you guys recommend on a router? One of these or something else? Or dropping inter-subnet traffic between employee departments right away on the access switch with Policy (simplest case would be to create an Automated Service I think, but needs to be different for each department to not block hostā€™s own subnet communication if we need it for any reason)?

 

Thanks,

Tomasz

View solution in original post

5 REPLIES 5

Tomasz
Valued Contributor II

Btw I was recently thinking about different ways to provide local subnets isolation (besides Policy or port isolation that can be done on an access switch, but the router is the one to isolate between vlans). I have enumerated few ways to achieve this. Iā€™m curious to know other peopleā€™s point of view on this, letā€™s keep it without a new topic as I donā€™t think itā€™s needed.

Scenario: 1, 10, 100 subnets with employees of different departments and devices of different purposes, separated with VLANs; they are supposed to reach the Internet and/or DC and/or printers VLAN but not to communicate internally with other departments, CCTV VLAN or else. Least-privilege (zero trust?) approach is to be applied.

Possible solutions IMHO:

  • ACL with explicit dst rules for each IP subnets that are to be denied applied to these ā€œuserā€ VLANs (ACL permits a packet if not matched any entry so Internet would be reachable) - this approach requires lots of entries in bigger scale network, even worse if weā€™d like to build explicit src+dst pairs of matching criteria;
  • ACL with destination-zone as a criteria instead of destination-address - just one entry (which is then split by EXOS when implementing in hardware), zones (sets of address/mask) are defined manually thru CLI - much simpler; in both approaches we donā€™t have to differentiate banned destinations for each local subnet, it can be the same ACL file for each concerned VLAN because we donā€™t care if the router blocks traffic from/to the same network (as it is going to work without routerā€™s participation in the traffic path anyway);
  • ACL with single destination address deny but with shorter netmask - a trick possible if local subnets are consistently addressed; again, applied on local vlans (not entire switch; to apply any of these to the entire switch and let the DC or anything else be able to reach local subnets, weā€™d have to apply explicit permit on those service vlans - then vlan-based ACL has higher precedence than switch-wide ACL);
  • VLAN Isolation - didnā€™t play with this one yet but itā€™s told to be an equivalent of port isolation at a VLAN level on a gateway;

Which approach would you guys recommend on a router? One of these or something else? Or dropping inter-subnet traffic between employee departments right away on the access switch with Policy (simplest case would be to create an Automated Service I think, but needs to be different for each department to not block hostā€™s own subnet communication if we need it for any reason)?

 

Thanks,

Tomasz

Tomasz
Valued Contributor II

Hi,

 

Youā€™ll have to put that whole input (entry {...}) into a .pol file. Either on your computer and then upload to the switch, or edit locally on the switch by doing ā€œedit policy ACL-NAMEā€ according to Stefanā€™s syntax to apply that ACL. This built-in editor is Vim like in Linux machines, so to start typing you have to press ā€˜aā€™ or ā€˜iā€™, and when youā€™re done you should press [esc] and ā€˜:wqā€™ to write and quit the editor.

 

Hope that helps,

Tomasz

Moathsaed
New Contributor

Thank you for reply and help 

I tried but this command not support on the switch coming message 

entry one {

Invalid input detected

Stefan_K_
Valued Contributor

Hi,

maybe this article would help you: https://extremeportal.force.com/ExtrArticleDetail?an=000083345&q=ACL

Your ACL needs to look something like this:

entry one {
if match all {
source-address 192.168.6.0/24;
destination-address 192.168.2.0/24;
} then {
deny;
}
}

entry two {
if match all {
source-address 192.168.6.0/24;
destination-address 192.168.5.0/24;
} then {
deny;
}
}

(Traffic that doesnā€™t match a rule is allowed)

Then you need to apply this ACL to an port or VLAN, for example:

configure access-list ACL-NAME port 49 ingress

or

configure access-list ACL-NAME vlan YOURVLAN ingress

Some more information about ACLs:

GTM-P2G8KFN