This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS ACL on VLAN Problem

EXOS ACL on VLAN Problem

Go to solution
Patrick19
New Contributor

‎03-29-2020 02:34 PM

Hi Everyone,

I am having a problem with my EXOS ACL Policy.

I have 2 VLANs (for lab purposes):

-VLAN 10 - 192.168.1.0/24

-VLAN 20- 192.168.2.0/24.

Objectives:

-VLAN 10 to deny all traffic coming from VLAN 20

-VLAN 20  to accept all traffic coming from VLAN 10

-VLAN 10  to deny only 1 IP from VLAN 20

 

Here is my topology, I am using a router to act as host, since I do not have any host on my GNS3 lab

60cf2cf050f34b4fb3dcc1e01e1f3848_71e4f7b0-e8a2-46cc-9e39-0a58b062e2b6.png
Topology

Policy created:

60cf2cf050f34b4fb3dcc1e01e1f3848_1e5543c9-5435-4acd-915a-dce66188570a.png

 

entry one {
    if match all {
          Source-address 192.168.2.0/24 ;
          destination-address 192.168.1.0/24 ;
    } then {
        count test ;
        deny ;
    }
}

 

Scenario 1:

Objectives:

-VLAN 10 to deny all traffic coming from VLAN 20 (not working)

 

Scenario:

  • I apply the policy to vlan10 ingress direction, but both router from vlan20 can still ping 192.168.1.2 router.

 

60cf2cf050f34b4fb3dcc1e01e1f3848_0ccfcb6e-0def-480e-b173-c79cba0db0b1.png
Extreme Policy
60cf2cf050f34b4fb3dcc1e01e1f3848_2ca3d96b-7dd9-45a5-b1fd-76becbdc287c.png
Router 2.2

 

60cf2cf050f34b4fb3dcc1e01e1f3848_c1995dee-f032-4f99-b8c4-7ff547c73d2c.png
Router 2.3

Scenario 2:

Objectives:

-VLAN 10 to deny all traffic coming from VLAN 20 (working)

-VLAN 20  to allow all traffic coming from VLAN 10 (not working)

 

Scenario:

  • I apply the policy to vlan20 ingress direction, and the ping was block, the problem now is vlan10 cannot ping vlan20 (even if I made a wildcard rule policy on the end.)

 

60cf2cf050f34b4fb3dcc1e01e1f3848_f0377a54-9577-4224-9fe9-a86e357e02d0.png
ACL workaround 2

 

60cf2cf050f34b4fb3dcc1e01e1f3848_09432405-e5be-4f12-a4f4-6b2b5156e2fb.png
Extreme Policy
60cf2cf050f34b4fb3dcc1e01e1f3848_86f77b9e-5b0c-45c7-9c43-5b998eccdce2.png
vlan 2 to vlan 1
60cf2cf050f34b4fb3dcc1e01e1f3848_9f7219e0-4692-4b69-a827-98d3bd320b5e.png
vlan 1 to vlan 2

 

Scenario 3:

Objectives:

-VLAN 10  to deny only 1 IP from VLAN 20

 

Scenario:

  • I apply the policy to vlan20 ingress direction.
  • vlan10 blocking the whole vlan20 subnet

 

60cf2cf050f34b4fb3dcc1e01e1f3848_0ffac3ea-ebdd-4f62-afa5-9b85110cefda.png
Policy
60cf2cf050f34b4fb3dcc1e01e1f3848_86f77b9e-5b0c-45c7-9c43-5b998eccdce2.png
Router 2.2 (working)
60cf2cf050f34b4fb3dcc1e01e1f3848_2ca3d96b-7dd9-45a5-b1fd-76becbdc287c.png
Router 2.3 (not working)

Please help me out on this thread. TAC recommendation is to apply the policy on both vlan which I already did. Extreme ACL is quite complicated for me. even tho I have background in programming, seems that extreme is having different perspective in applying ACL policy.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
jeronimo
Contributor III

‎03-30-2020 01:03 AM

I haven't personally worked with those policies, however two things come to mind:

1) VLANxxx is considered the interface. So if you want for example to deny traffic from V20->V10 then you have to put a rule denying src:192.168.2.x,dst:192.168.1.x on VLAN0020 ingress, or VLAN0010 egress. Think of ingress as the traffic coming from the cable into the port, only that in this case the port is the virtual VLAN port inside the switch/router.

2) These devices are not stateful firewalls, they are routers. These ACLs work just like that. They don't look at who initiated a communication in order to let a response pass. They just pass/deny exactly what you tell them, and in the direction you indicate, nothing more, nothing less.

View solution in original post

0 Kudos
2 REPLIES 2

Go to solution
stephenjohn
New Contributor

‎07-17-2020 08:41 AM

This is good information i understood well thanks 

 

0 Kudos

Go to solution
jeronimo
Contributor III

‎03-30-2020 01:03 AM

I haven't personally worked with those policies, however two things come to mind:

1) VLANxxx is considered the interface. So if you want for example to deny traffic from V20->V10 then you have to put a rule denying src:192.168.2.x,dst:192.168.1.x on VLAN0020 ingress, or VLAN0010 egress. Think of ingress as the traffic coming from the cable into the port, only that in this case the port is the virtual VLAN port inside the switch/router.

2) These devices are not stateful firewalls, they are routers. These ACLs work just like that. They don't look at who initiated a communication in order to let a response pass. They just pass/deny exactly what you tell them, and in the direction you indicate, nothing more, nothing less.

0 Kudos
GTM-P2G8KFN