cancel
Showing results for 
Search instead for 
Did you mean: 

Filter ACL's on VOSS, how far reaching are they?

Filter ACL's on VOSS, how far reaching are they?

XTRMUser
Contributor

I have two VOSS cores (routers, vISTed), some other VOSS switches (Top of rack, etc), no EXOS, and number of ERS. I know that ERS can't handle ACL's.

My question is. To have effective ACL's (throughout the network), do I need to put them on each VOSS switch that we have? Or is there a way they can be defined on one VOSS switch (probably one of the routers), and they are effective throughout the network?

Thanks.

1 ACCEPTED SOLUTION

EXTR_Paul
Extreme Employee

First thing.  You have been misinformed.  ERS stackables 100% support ACLs.   If you download the ERS4900/5900 Document collections you will find all the ACL information in the QoS guides.

https://supportdocs.extremenetworks.com/support/documentation/ers-4900-and-5900-series-document-coll...

To answer your question.  ACL's only have significance on the switch they are applied to.  If there was a MAC, VLAN,  IP or PORT you wanted to block throughout your network you need to apply that ACL on every switch.  There is no way for a switch to propogate its ACLs to other switches on its own.

With that said, if your VSP cores are the routers, applying the ACLs there would at minimum block the traffic there.  As all traffic needs to come back to the core any L3 policy will be enforced there. 

If you wanted dynamic ACLs you to be applied on your all switches you need to look at a dynamic Radius ACLs that would be applied to a NAC policy.  This feature was just added to VOSS a few years ago.  In this case XIQ-SE CONTROL would be your NAC engine.

VOSS does this.  But EXOS does it better. 

With many of the clients I am working with that were all AVAYA, today they are looking at replacing all their ERS switches with EXOS because of the ACLs and Policy are more powerful and easier to work with in CONTROL.

 

 

View solution in original post

2 REPLIES 2

XTRMUser
Contributor

Thanks Paul. That explains and clarifies a number of things.

EXTR_Paul
Extreme Employee

First thing.  You have been misinformed.  ERS stackables 100% support ACLs.   If you download the ERS4900/5900 Document collections you will find all the ACL information in the QoS guides.

https://supportdocs.extremenetworks.com/support/documentation/ers-4900-and-5900-series-document-coll...

To answer your question.  ACL's only have significance on the switch they are applied to.  If there was a MAC, VLAN,  IP or PORT you wanted to block throughout your network you need to apply that ACL on every switch.  There is no way for a switch to propogate its ACLs to other switches on its own.

With that said, if your VSP cores are the routers, applying the ACLs there would at minimum block the traffic there.  As all traffic needs to come back to the core any L3 policy will be enforced there. 

If you wanted dynamic ACLs you to be applied on your all switches you need to look at a dynamic Radius ACLs that would be applied to a NAC policy.  This feature was just added to VOSS a few years ago.  In this case XIQ-SE CONTROL would be your NAC engine.

VOSS does this.  But EXOS does it better. 

With many of the clients I am working with that were all AVAYA, today they are looking at replacing all their ERS switches with EXOS because of the ACLs and Policy are more powerful and easier to work with in CONTROL.

 

 

GTM-P2G8KFN