This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

isolate ip network of vlan from other on same port

isolate ip network of vlan from other on same port

sumeet
New Contributor

ā€Ž12-01-2016 03:40 AM

Here is the scenario
we have multiple VLAN's configured as follows.

VLAN 2001 setting

create vlan "vlan2001"
configure vlan vlan2001 tag 2001
configure vlan vlan2001 add ports 21-24 tagged
configure vlan vlan2001 ipaddress 10.0.0.1 255.255.255.0
configure vlan vlan2001 dhcp-address-range 10.0.0.3 - 10.0.0.100
configure vlan vlan2001 dhcp-options default-gateway 10.0.0.1
enable ipforwarding vlan vlan2001
enable dhcp ports 21-24 vlan vlan2001

There are lots of other vlans
for example
create vlan "vlan199"
configure vlan vlan199 tag 199
configure vlan vlan199 add ports 21-24 tagged
configure vlan vlan199 ipaddress 172.16.199.1 255.255.255.0
configure vlan vlan199 dhcp-address-range 172.16.199.2 - 172.16.199.200
configure vlan vlan199 dhcp-options default-gateway 172.16.199.1
enable ipforwarding vlan vlan199
enable dhcp ports 21-24 vlan vlan199

Similiarly we have vlan 101 to 198 with ip 172.16.<101-198>.1 and dhcp range 172.16.<101-198>199.2 - 172.16.<101-198>.200
I want that 172.16.<101-199>.x should not be able to ping 10.0.0.x
How should I do that ?

Thanks.
0 Kudos
26 REPLIES 26

AndrƩ_Herkenrat
Extreme Employee

ā€Ž12-01-2016 06:00 AM

unconfigure access-list no_voip_access port 21
0 Kudos

sumeet
New Contributor

ā€Ž12-01-2016 05:59 AM

OK

Can't find a way to disable ACL .

0 Kudos

AndrƩ_Herkenrat
Extreme Employee

ā€Ž12-01-2016 05:51 AM

If you just want to deny "Ping" then this would do it:

entry No_Ping { if {
protocol icmp;
source-address 172.16.0.0/16;
destination-address 10.0.0.0/24;
} then {
deny;
}
}

If you want to isolate traffic not to enter different areas in the network. ACLs can get a pain in the back. Depending on the platform you have you can assign the vlans to different virtual routers.

So if you have the vlan 2001 in the user defined vr vr-v2001 (just an example for a name) and the vlan 199 in a different user defined vr e.g. vr-access then these vlan are isolated by default and you don't need any ACLs
0 Kudos

sumeet
New Contributor

ā€Ž12-01-2016 04:49 AM

i tried this

vi no_voip_access.pol

entry one {
if match all {
source-address 172.16.0.0/16 ;
destination-address 10.0.0.0/24 ;
}
then
{
redirect 172.16.0.1;
}
}

configure access-list no_voip_access.pol port 21 ingress

Got
Error: ACL policy no_voip_access.pol not found

Here i was hoping that all packets with source ip 172.16.x.x and destination ip 10.0.0.x will be sent to 172.16.0.1

0 Kudos

sumeet
New Contributor
In response to sumeet

ā€Ž12-01-2016 04:49 AM

Now .
Atleast , access list is being used .
Seems no change in behaviour.
ping to 10.0.0.2 from pc with ip 172.16.199.2 fails when pc with ip 10.0.0.2 is disconnected from extreme switch.
One more thing - how do I remove access list ?
guess , rm no_voip_access.pol would not be proper ?

0 Kudos
GTM-P2G8KFN