cancel
Showing results for 
Search instead for 
Did you mean: 

ACL Ingress/Egress when applied to a VLAN

ACL Ingress/Egress when applied to a VLAN

MattA
New Contributor
Hi Folks,

I'm having a hard time understanding when to apply an ACL as Ingress or Egress, specifically when applying it to a VLAN.

For example, I have a switch with 6 VLANs, and one of those VLANs is a guest network that shouldn't be able to access any other VLAN.

Would I apply those deny rules, within one ACL, as an Ingress on the Guest VLAN or an Egress?  Then an explicit permit at the end to allow for internet?

My initial thought was Egress, but I'm stumped after reading this article, How To: How To: Create and Apply an ACL in EXOS | Extreme Portal (force.com)

Thanks
Matt
4 REPLIES 4

marconet_22
New Contributor

Hi MattA

I have the same issue. I have VLAN8 like guest user and i need to block egress traffic to private networks. And it seems doesn't work.

but why? In Cisco, into every switch I can block ingress and egress traffic with Extended access list

Have you solved your issue?

Gabriel_G
Contributor II
Hey Matt,

For limiting client-to-client traffic in the same VLAN, I know of 2 features:
1) For wireless clients, there is usually a 'client-isolation' option on the WLC that prevents clients from talking to each other
2) For wired clients, you can use something call a private VLAN which forces traffic to an uplink port and not to any other client port.
Page 585
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf

MattA
New Contributor
Thanks @Gabriel_G that was very helpful. I was very confused with the ingress/egress logic however it clicked the other day as I was working with some test switches.

I'll need to brainstorm how to stop communications for clients on that VLAN locally, where an ACL is applied as ingress.  The VLANs will mainly be used for wireless, so I suspect the wireless controller has the option to isolate client traffic from each other.  

Thanks again! 
​​

Gabriel_G
Contributor II

Hi Matt,

When applying ACLs to a VLAN, that is effectively the same thing as applying the ACL to all ports that belong to that VLAN. Note that ACLs applied to a VLAN do not touch traffic that is routed into or out-of that VLAN locally.

In EXOS, it's generally easier to apply ingress ACLs vs Egress ACLs as Egress ACLs have more restrictions, less hardware availability, and egress ACLs are not supported on all platforms.

If you're trying to prevent client A from reaching things in network B, it's generally acceptable to apply an INGRESS ACL on the client port, or as close to the client as possible to reduce how far that traffic goes before it's dropped. Alternatively, you could use an EGRESS ACL at the router for network B if you're unsure of where traffic will be ingressing.

Regarding your specific example:
I would apply an ingress ACL to the guest VLAN with a bunch of deny rules that prevents those clients from reaching other networks (via destination-address match condition). Then the permit all at the end will allow for Internet traffic as you suggested.

Hope that helps!

GTM-P2G8KFN