This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.

I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.

Frank
Contributor II

ā€Ž04-04-2014 01:47 PM

Try this part:

...
entry EverythingElse {
if match all {
source-address 0.0.0.0/0;
}
then {
deny ;
count Deny;
}
}

I just finished fighting a similar issue. Without specifying "source anywhere", it denies everything.

In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do not want to route traffic between the "normal" VLANs.

I'll start a thread on that...
Note: This topic was created from a reply on the static ACL question - block traffic vlan1 to vlan2 with exceptions topic.
0 Kudos
3 REPLIES 3

Frank
Contributor II

ā€Ž04-15-2014 07:13 AM

I think I sorted it out in the thread that I started - the problem seems to be that denying via
if match all {
} then {
deny
}
truly matches everything - every protocol, every port, every address, and especially every ARP.
It also appears that it means that a "deny" rule like that also matches previously "accept"ed packets (because of the ARP test?)
Lesson learned: don't deny all like this, deny all in a more specific matter šŸ˜‰

(I don't know if that was the intended behavior of "match all {}", but that's how it seems to play out.)

Jarek helped me out with that in this thread: https://community.extremenetworks.com/extreme/topics/access_list_policy_and_selective_routing_betwee...

0 Kudos

Paul_Russo
Extreme Employee

ā€Ž04-14-2014 07:19 PM

Hello Frank

The ACLs in XOS have a implicit permit not a implicit deny so adding your final entry is needed to make sure that all traffic is dropped unless it is explicitly permitted in the other entries.

Not sure if that is answering your question so if you can provide more information we can look it over.

Thanks
P
0 Kudos

Tamera_Rousseau
New Contributor

ā€Ž04-14-2014 06:59 PM

Hi Frank, I thought I would start this thread for you to see if anyone might be able to give you some advice. Have a great day!
0 Kudos
GTM-P2G8KFN