Extreme Networks

Julio_Oliveira · ‎04-02-2019

Hi,

I have 2 vsp 7k connected via V-Ist and I have 2 vsp 4k connected in those 7k using spb.

All the routing and l3 vlan are created in the vsp 7k.

vlan mgmt is 1000 (172.16.10.0/26) and I also have other vlans configured.

I plugged my notebook on the VSP4k with a static IP 10.222.10.100 and I can ping 172.16.10.0 network normally.

I am trying to block ping from vlan 12 (10.222.12.0/24)

I create a ACL trying to block this but didnt work. I still pinging from my pc.

filter acl 1 type inVlan name "ICMP_BLOCK"
filter acl vlan 1 1000
filter acl ace 1 5 name "Vlan 1000"
filter acl ace action 1 5 deny
filter acl ace ethernet 1 5 ether-type eq ip
filter acl ace ip 1 5 src-ip eq 10.222.12.100
filter acl ace ip 1 5 dst-ip eq 172.16.10.1
filter acl ace ethernet 1 5ether-type eq ip
filter acl ace ip 1 5 ip-protocol-type eq icmp
filter acl ace 1 5 enable

Anything that could help!

Thanks

Julio_Oliveira · ‎04-02-2019

I didnt set this configuration to a specific port. I configured to the whole vlan.

If I put src and dst IP to mask I keep pinging the another vlan.

I tried it as well, without success.

filter acl 1 type inVlan name "ACL-1"
filter acl vlan 1 1000

filter acl ace 1 1 name "MGMT_Ping"
filter acl ace action 1 1 permit
filter acl ace ethernet 1 1 ether-type eq ip
filter acl ace ip 1 1 src-ip mask 10.222.12.0 0.0.0.255
filter acl ace ip 1 1 dst-ip eq 172.16.10.1
filter acl ace 1 1 enable

filter acl ace 1 2 name "ACE-deny"
filter acl ace action 1 2 deny
filter acl ace ethernet 1 2 ether-type eq ip
filter acl ace 1 2 enable

Julio_Oliveira · ‎04-02-2019

I didnt set this configuration to a specific port. I configured to the whole vlan.

If I put src and dst IP to mask I keep pinging the another vlan.

aksidents · ‎04-02-2019

Silly question - Did you assign that ACL to the correct port?

What happens if you change eq to mask and us 10.222.12.0 0.0.0.255 and 172.16.10.0 0.0.0.31?

Extreme Networks

ACL blocking ping

ACL blocking ping