Extreme Networks

MattA · ‎04-12-2022

Hi All,

I'm new to the Extreme Switch environment and I'm looking for some guidance on applying ACLs to a large deployment of networks.

I'm working on a project that is expanding a flat network into 48 VLANs across 6 locations. (8 VLANs per location).

The locations house an Extreme Switch that routes to a cisco router then to the internet. The VLAN default gateways are on the Extreme Switch config.

All VLANs are currently routable to all locations via the Cisco routers.

My question is what is most practical way to set up ACLs to stop certain VLANs from communication to others?

For example:

Location A has VLANs 510 (192.168.10.1 /22) and 560 (192.168.60.1 /22)

Location B has VLANs 610 (192.168.110.1 /24) and 660 (192.168.160.1 /24)

Goal: VLAN 510 needs DNS and DHCP from on server on VLAN 560 (192.168.60.50) , but all other traffic to VLAN 560, 610, and 660 should be blocked.

Will I need ACLs at both the Extreme switch level and the Cisco routers? Or can an ACL on the extreme switch get the job done? Can I block 192.168.0.0/16 once the DNS and DHCP allows are added?

Hope this makes sense, I'm also new to ACLs and I'm trying to wrap my mind around this. I'm happy to explain more if needed.

Thanks for any help you can provide.

jerrygen · yesterday

Hi Matt,

Absolutely, I can help clarify this. In your setup, since the VLANs’ default gateways are on the Extreme Switches, you can enforce most of your ACLs right there. You would create ACLs that allow only the specific traffic you want—like DNS (UDP 53) and DHCP (UDP 67/68)—from VLAN 510 to the server on VLAN 560, and then deny everything else between those VLANs. Applied inbound on the VLAN interfaces, this will prevent unwanted traffic before it even hits the router.

You generally don’t need to replicate these ACLs on the Cisco routers unless you want an extra layer of protection or are worried about inter-site routing. Blocking the whole 192.168.0.0/16 range wouldn’t work if you need selective access, because that would also block your allowed DNS/DHCP traffic. Instead, focus on explicitly permitting only the required services and then deny all other traffic, which keeps it simple and scalable as you expand to 48 VLANs.

The key is planning your ACLs carefully: start with the “allow” rules for necessary services, then a catch-all deny at the end. Testing each ACL in a lab or in one location first can save headaches later, especially with multiple sites and hundreds of routes involved.

Regards

Gabriel_G · ‎05-12-2022

Hi Matt,

To block inter-VLAN traffic, I would generally look to apply ACLs to the client VLANs on INGRESS at the default gateway for that VLAN (being EXOS in your case). This way you only have to worry about installing the ACL in one location instead of on a bunch of L2 switches. Adding another ACL to the Cisco router at that point would be a bit superfluous.

Keep in mind EXOS ACLs have an implied permit catch-all (versus Cisco's implied deny catch-all). Therefore, your ACL will probably have a few deny rules preventing traffic from reaching certain 'destination-address' ranges, and it may need a permit rule for your DNS server if that DNS server happens to be in one of the networks that you don't normally want the clients to reach.

ACLs are processed top-down and only follow the first rule they match. After all of your denies, the implied permit catch-all will allow for internet traffic.

Here is a helpful article about ACLs and ways they can be configured:

How To: How To: Create and Apply an ACL in EXOS | Extreme Portal (force.com)

Hope that helps!

MattA · ‎04-29-2022

Thanks, Sam.

The routing switches are 5520 stacks with one X440G2 as well.

SamPirok · ‎04-29-2022

Hi Matt, could you tell me which Extreme equipment models you're using so I can find the correct team to bring your question to?

Extreme Networks

ACL Best Practices

ACL Best Practices