This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Technical Discussions
- Network Architecture & Design
- Help with intervlan routing ACL
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Help with intervlan routing ACL
Help with intervlan routing ACL
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-07-2015 05:23 PM
Greetings! This is my first post here. My name is John and I'm trying to configure a scalable solution for our monitoring system to keep track of individual circuit health.
I've configured one Extreme Networks X440-48t switch stack as a router connecting to switches at different buildings over metro ethernet circuits.
Each building switch can see the routing switch on a /30 like so:
Routing Switch Stack X440-48t: Building Switches X440-8p's:
VLAN 311: 192.168.252.1/30 -> 192.168.252.2
VLAN 512: 192.168.252.5/30 -> 192.168.252.6
VLAN 242: 192.168.252.9/30 -> 192.168.252.10
Default VLAN: 192.168.2.236/24
|
Core switching stack
|
Internal Core Router
|
192.168.2.254
I want IP traffic coming from 192.168.2.0 network to have access to all VLAN's with those /30 addresses but I do not want each of the switches to be able to communicate with each other.
For example:
192.168.252.2/30 should not be able to communicate with 192.168.252.6/30 or 192.168.252.10/30.
What would be the most efficient and manageable way to do achieve this goal using EXOS ACL's while also planning for the fact that there could be endless VLAN interfaces configured this way in the future?
Thanks in advance for any assistance.
John
I've configured one Extreme Networks X440-48t switch stack as a router connecting to switches at different buildings over metro ethernet circuits.
Each building switch can see the routing switch on a /30 like so:
Routing Switch Stack X440-48t: Building Switches X440-8p's:
VLAN 311: 192.168.252.1/30 -> 192.168.252.2
VLAN 512: 192.168.252.5/30 -> 192.168.252.6
VLAN 242: 192.168.252.9/30 -> 192.168.252.10
Default VLAN: 192.168.2.236/24
|
Core switching stack
|
Internal Core Router
|
192.168.2.254
I want IP traffic coming from 192.168.2.0 network to have access to all VLAN's with those /30 addresses but I do not want each of the switches to be able to communicate with each other.
For example:
192.168.252.2/30 should not be able to communicate with 192.168.252.6/30 or 192.168.252.10/30.
What would be the most efficient and manageable way to do achieve this goal using EXOS ACL's while also planning for the fact that there could be endless VLAN interfaces configured this way in the future?
Thanks in advance for any assistance.
John
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-29-2015 02:36 PM
Hi John,
This command is available only from 15.3.
And this is a port specific configuration and hence should not be dependent on whether the VLAN is tagged or untagged.
This command is available only from 15.3.
And this is a port specific configuration and hence should not be dependent on whether the VLAN is tagged or untagged.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-29-2015 02:30 PM
Does port isolation work on ports with tagged VLANs? Or only untagged?
Also what version of EXOS does this feature come in on? I've got
15.2.3.2 v1523b2-patch1-12 but it does not pop up as an option.
Also what version of EXOS does this feature come in on? I've got
15.2.3.2 v1523b2-patch1-12 but it does not pop up as an option.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-29-2015 01:48 PM
This is EXACTLY what I'm looking for. I looked at port isolation, I thought thats what it did, but the documentation was (IMO) was not clear enough about the expected behavior. Thank you very much for the clarification. I'll implement this and let you know my results.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-29-2015 01:44 PM
Hi John,
I was thinking the solution to this would be as simple as configuring the ports on 24p switch connecting to every 8p switch as isolation ports.
Following is an explanation about this feature:
The Port Isolation feature blocks accidental and intentional inter-communication between different customers residing on different physical ports. This feature provides a much simpler blocking mechanism without the use of ACL hardware. The fundamental requirements are as follows:
configure port isolation on.
Let me know your thoughts.
if the ports of 24p connecting to 8p will have only the /30 VLAN, this should meet your requirement.
I was thinking the solution to this would be as simple as configuring the ports on 24p switch connecting to every 8p switch as isolation ports.
Following is an explanation about this feature:
The Port Isolation feature blocks accidental and intentional inter-communication between different customers residing on different physical ports. This feature provides a much simpler blocking mechanism without the use of ACL hardware. The fundamental requirements are as follows:
- Blocking Rules: All traffic types received on a isolation port is blocked from being forwarded
through other ‘isolation’ ports.
All traffic types received on an isolation port can be forwarded to any other port.
All traffic types received on non-isolation ports are permitted to be forwarded to isolation ports.
There is no access-list hardware use. The blocking mechanism is a set of one or two table memories. These resources are not shared with other features, nor do they have any scaling limits that can be reached by configuring this feature. Port isolation can be configured in conjunction with other features, including VPLS, IDM, and XNV. However, you cannot configure a mirror-to port to be an isolated port.
configure port isolation on.
Let me know your thoughts.
if the ports of 24p connecting to 8p will have only the /30 VLAN, this should meet your requirement.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-20-2015 11:46 PM
The way its configured there is one 24 port switch at one location, connected to multiple 8 port switches at different locations. This 24 port switch is acting as the gateway for VPN clients to the smaller switches using /30 point to point connections.. a rudimentary illustration: VPN | router | summit stack | independent summit 24 port aggregator 24p1->/30-> 8p location 1 24p2->/30-> 8p location 2 24p3->/30-> 8p location 3 As you can see I want traffic going into the 24 port to have access to the 24 port and all of the 8 port switches at different locations with the 24 port acting as the default gw to the 8s. What I dont want is for the 8 ports to be able to get to each other through the 24. The 24 is acting as a forwarding gateway. Im just looking for the easiest way to do this as a policy because I dont want to update the ACL evertime we add a new location. Is this possible? If so could you point me in the right direction and maybe throw an example in? Im not announcing routes in this scenario.
