cancel
Showing results for 
Search instead for 
Did you mean: 

ACLs Extended Deny subnet to access other subnet and allow others

ACLs Extended Deny subnet to access other subnet and allow others

Moathsaed
New Contributor

Hi teams

can you write command on extreme to do same bellow command

ip access-list extended 100
10 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
11 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

12 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

int eth 49
ip access-group 100 out

1 ACCEPTED SOLUTION

Tomasz
Valued Contributor II

Btw I was recently thinking about different ways to provide local subnets isolation (besides Policy or port isolation that can be done on an access switch, but the router is the one to isolate between vlans). I have enumerated few ways to achieve this. I’m curious to know other people’s point of view on this, let’s keep it without a new topic as I don’t think it’s needed.

Scenario: 1, 10, 100 subnets with employees of different departments and devices of different purposes, separated with VLANs; they are supposed to reach the Internet and/or DC and/or printers VLAN but not to communicate internally with other departments, CCTV VLAN or else. Least-privilege (zero trust?) approach is to be applied.

Possible solutions IMHO:

  • ACL with explicit dst rules for each IP subnets that are to be denied applied to these “user” VLANs (ACL permits a packet if not matched any entry so Internet would be reachable) - this approach requires lots of entries in bigger scale network, even worse if we’d like to build explicit src+dst pairs of matching criteria;
  • ACL with destination-zone as a criteria instead of destination-address - just one entry (which is then split by EXOS when implementing in hardware), zones (sets of address/mask) are defined manually thru CLI - much simpler; in both approaches we don’t have to differentiate banned destinations for each local subnet, it can be the same ACL file for each concerned VLAN because we don’t care if the router blocks traffic from/to the same network (as it is going to work without router’s participation in the traffic path anyway);
  • ACL with single destination address deny but with shorter netmask - a trick possible if local subnets are consistently addressed; again, applied on local vlans (not entire switch; to apply any of these to the entire switch and let the DC or anything else be able to reach local subnets, we’d have to apply explicit permit on those service vlans - then vlan-based ACL has higher precedence than switch-wide ACL);
  • VLAN Isolation - didn’t play with this one yet but it’s told to be an equivalent of port isolation at a VLAN level on a gateway;

Which approach would you guys recommend on a router? One of these or something else? Or dropping inter-subnet traffic between employee departments right away on the access switch with Policy (simplest case would be to create an Automated Service I think, but needs to be different for each department to not block host’s own subnet communication if we need it for any reason)?

 

Thanks,

Tomasz

View solution in original post

5 REPLIES 5

Moathsaed
New Contributor

our switch is  X450G2-48p-10G4

GTM-P2G8KFN