This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (Other)
- Re: ACL Ingress/Egress when applied to a VLAN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ACL Ingress/Egress when applied to a VLAN
ACL Ingress/Egress when applied to a VLAN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-05-2022 10:53 AM
Hi Folks,
I'm having a hard time understanding when to apply an ACL as Ingress or Egress, specifically when applying it to a VLAN.
For example, I have a switch with 6 VLANs, and one of those VLANs is a guest network that shouldn't be able to access any other VLAN.
Would I apply those deny rules, within one ACL, as an Ingress on the Guest VLAN or an Egress? Then an explicit permit at the end to allow for internet?
My initial thought was Egress, but I'm stumped after reading this article, How To: How To: Create and Apply an ACL in EXOS | Extreme Portal (force.com)
Thanks
Matt
I'm having a hard time understanding when to apply an ACL as Ingress or Egress, specifically when applying it to a VLAN.
For example, I have a switch with 6 VLANs, and one of those VLANs is a guest network that shouldn't be able to access any other VLAN.
Would I apply those deny rules, within one ACL, as an Ingress on the Guest VLAN or an Egress? Then an explicit permit at the end to allow for internet?
My initial thought was Egress, but I'm stumped after reading this article, How To: How To: Create and Apply an ACL in EXOS | Extreme Portal (force.com)
Thanks
Matt
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
3 weeks ago - last edited 3 weeks ago
Gabriel,
Bringing up an old thread but im looking at something similar. Im interested in creating an Allow ACL with a global Deny at the bottom for any non-defined subnets. When i do this i lose inter-vlan traffic. As an example
Looking over the syntax and having the information below
VLAN1 172.16.0.0/16
VLAN2 10.10.10.0/24
VLAN3 10.10.11.0/24
VLAN4 10.10.12.0/24
VLAN100 172.20.0.0/24
VLAN101 172.20.1.0/24
VLAN102 172.20.2.0/24
Im looking to allow vlan 100,101,102 to access vlan 1 but deny vlan 2, 3, 4.
Using the policy below bound as ingress on vlan1 i lose ping between vlan1 devices and i get trapped in the deny. This appears to be because while its inter-vlan traffic the packets still have layer3 headers and it dosent see the 'source' 'destination' match. How can i maintain inter-vlan traffic while maintaining a majorally 'allow' policy file.
entry VLAN100_to_VLAN1_Accept {
if match all {
source-address 172.20.0.0/24 ;
destination-address 172.16.0.0/16 ;
} then {
permit ;
} }
entry VLAN101_to_VLAN1_Accept {
if match all {
source-address 172.20.1.0/24 ;
destination-address 172.16.0.0/16 ;
} then {
permit ;
} }
entry VLAN102_to_VLAN1_Accept {
if match all {
source-address 172.20.2.0/24 ;
destination-address 172.16.0.0/16 ;
} then {
permit ;
} }
entry DenyOthers_to_VLAN1 {
if match all {
destination-address 172.16.0.0/16 ;
} then {
deny ;
} }
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-24-2022 01:55 AM
Hi MattA
I have the same issue. I have VLAN8 like guest user and i need to block egress traffic to private networks. And it seems doesn't work.
but why? In Cisco, into every switch I can block ingress and egress traffic with Extended access list
Have you solved your issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-12-2022 03:31 PM
Hey Matt,
For limiting client-to-client traffic in the same VLAN, I know of 2 features:
1) For wireless clients, there is usually a 'client-isolation' option on the WLC that prevents clients from talking to each other
2) For wired clients, you can use something call a private VLAN which forces traffic to an uplink port and not to any other client port.
Page 585
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf
For limiting client-to-client traffic in the same VLAN, I know of 2 features:
1) For wireless clients, there is usually a 'client-isolation' option on the WLC that prevents clients from talking to each other
2) For wired clients, you can use something call a private VLAN which forces traffic to an uplink port and not to any other client port.
Page 585
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-12-2022 02:00 PM
Thanks @Gabriel_G that was very helpful. I was very confused with the ingress/egress logic however it clicked the other day as I was working with some test switches.
I'll need to brainstorm how to stop communications for clients on that VLAN locally, where an ACL is applied as ingress. The VLANs will mainly be used for wireless, so I suspect the wireless controller has the option to isolate client traffic from each other.
Thanks again!
I'll need to brainstorm how to stop communications for clients on that VLAN locally, where an ACL is applied as ingress. The VLANs will mainly be used for wireless, so I suspect the wireless controller has the option to isolate client traffic from each other.
Thanks again!
