This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL Best Practices

ACL Best Practices

MattA
New Contributor

‎04-12-2022 01:36 PM

Hi All,

I'm new to the Extreme Switch environment and I'm looking for some guidance on applying ACLs to a large deployment of networks.

I'm working on a project that is expanding a flat network into 48 VLANs across 6 locations.  (8 VLANs per location).

The locations house an Extreme Switch that routes to a cisco router then to the internet.  The VLAN default gateways are on the Extreme Switch config.

All VLANs are currently routable to all locations via the Cisco routers.

My question is what is most practical way to set up ACLs to stop certain VLANs from communication to others?

For example:

Location A has VLANs 510 (192.168.10.1 /22) and 560 (192.168.60.1 /22)

Location B has VLANs 610 (192.168.110.1 /24) and 660 (192.168.160.1 /24)

Goal: VLAN 510 needs DNS and DHCP from on server on VLAN 560 (192.168.60.50) , but all other traffic to VLAN 560, 610, and 660 should be blocked.

Will I need ACLs at both the Extreme switch level and the Cisco routers?  Or can an ACL on the extreme switch get the job done?  Can I block 192.168.0.0/16 once the DNS and DHCP allows are added?

Hope this makes sense, I'm also new to ACLs and I'm trying to wrap my mind around this.  I'm happy to explain more if needed.  

Thanks for any help you can provide.
0 Kudos
3 REPLIES 3

Gabriel_G
Extreme Employee

‎05-12-2022 01:12 PM

Hi Matt,

To block inter-VLAN traffic, I would generally look to apply ACLs to the client VLANs on INGRESS at the default gateway for that VLAN (being EXOS in your case). This way you only have to worry about installing the ACL in one location instead of on a bunch of L2 switches. Adding another ACL to the Cisco router at that point would be a bit superfluous.

Keep in mind EXOS ACLs have an implied permit catch-all (versus Cisco's implied deny catch-all). Therefore, your ACL will probably have a few deny rules preventing traffic from reaching certain 'destination-address' ranges, and it may need a permit rule for your DNS server if that DNS server happens to be in one of the networks that you don't normally want the clients to reach.

ACLs are processed top-down and only follow the first rule they match. After all of your denies, the implied permit catch-all will allow for internet traffic.

Here is a helpful article about ACLs and ways they can be configured:

How To: How To: Create and Apply an ACL in EXOS | Extreme Portal (force.com)

Hope that helps!

0 Kudos

MattA
New Contributor

‎04-29-2022 02:01 PM

Thanks, Sam.

The routing switches are 5520 stacks with one X440G2 as well.
0 Kudos

SamPirok
Community Manager Community Manager
Community Manager

‎04-29-2022 01:49 PM

Hi Matt, could you tell me which Extreme equipment models you're using so I can find the correct team to bring your question to?
0 Kudos
GTM-P2G8KFN