This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

ACLs Extended Deny subnet to access other subnet and allow others

ACLs Extended Deny subnet to access other subnet and allow others

Go to solution
Moathsaed
New Contributor

ā€Ž04-07-2021 10:08 PM

Hi teams

can you write command on extreme to do same bellow command

ip access-list extended 100
10 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
11 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

12 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

int eth 49
ip access-group 100 out

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Tomasz
Valued Contributor II

ā€Ž04-08-2021 10:39 AM

Btw I was recently thinking about different ways to provide local subnets isolation (besides Policy or port isolation that can be done on an access switch, but the router is the one to isolate between vlans). I have enumerated few ways to achieve this. Iā€™m curious to know other peopleā€™s point of view on this, letā€™s keep it without a new topic as I donā€™t think itā€™s needed.

Scenario: 1, 10, 100 subnets with employees of different departments and devices of different purposes, separated with VLANs; they are supposed to reach the Internet and/or DC and/or printers VLAN but not to communicate internally with other departments, CCTV VLAN or else. Least-privilege (zero trust?) approach is to be applied.

Possible solutions IMHO:

  • ACL with explicit dst rules for each IP subnets that are to be denied applied to these ā€œuserā€ VLANs (ACL permits a packet if not matched any entry so Internet would be reachable) - this approach requires lots of entries in bigger scale network, even worse if weā€™d like to build explicit src+dst pairs of matching criteria;
  • ACL with destination-zone as a criteria instead of destination-address - just one entry (which is then split by EXOS when implementing in hardware), zones (sets of address/mask) are defined manually thru CLI - much simpler; in both approaches we donā€™t have to differentiate banned destinations for each local subnet, it can be the same ACL file for each concerned VLAN because we donā€™t care if the router blocks traffic from/to the same network (as it is going to work without routerā€™s participation in the traffic path anyway);
  • ACL with single destination address deny but with shorter netmask - a trick possible if local subnets are consistently addressed; again, applied on local vlans (not entire switch; to apply any of these to the entire switch and let the DC or anything else be able to reach local subnets, weā€™d have to apply explicit permit on those service vlans - then vlan-based ACL has higher precedence than switch-wide ACL);
  • VLAN Isolation - didnā€™t play with this one yet but itā€™s told to be an equivalent of port isolation at a VLAN level on a gateway;

Which approach would you guys recommend on a router? One of these or something else? Or dropping inter-subnet traffic between employee departments right away on the access switch with Policy (simplest case would be to create an Automated Service I think, but needs to be different for each department to not block hostā€™s own subnet communication if we need it for any reason)?

 

Thanks,

Tomasz

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Moathsaed
New Contributor

ā€Ž04-07-2021 10:46 PM

our switch is  X450G2-48p-10G4

0 Kudos
GTM-P2G8KFN