Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 5
Registered: ‎05-17-2013

ACL for inter VLAN routing

Hi,

we have a ICX6650 running fastiron R08010a

 

 a DHCP Server (IP 192.168.2.2)which is connected with untagged eth 1/1/15 & a part of VLAN2

we have so many VLAN where DHCP to be relayed, 

 

CX6650-64 Router(config)#vlan 2

ICX6650-64 Router(config)#router interface ve 2

ICX6650-64 Router(config)#int ve 2

ICX6650-64 Router(config-vif-2)#ip address  192.168.2.1

ICX6650-64 Router(config-vif-2)#ip helper-address 1 192.168.2.2

Exit

ICX6650-64 Router(config)#vlan 2

ICX6650-64 Router(config)#tagged eth 1/1/11 (here L-2 Switch VLAN-2 is connecting in 10G)

ICX6650-64 Router(config)#untagged ethernet  1/1/15  (here DHCP server is connecting )

------------------------------------------------------------------------------

 

 

ICX6650-64 Router(config)#vlan 3

ICX6650-64 Router(config)#router interface ve 3

ICX6650-64 Router(config)#int ve 3

ICX6650-64 Router(config-vif-2)#ip address  192.168.3.1

ICX6650-64 Router(config-vif-2)#ip helper-address 1 192.168.2.2

Exit

ICX6650-64 Router(config)#vlan 3

ICX6650-64 Router(config)#tagged eth 1/1/12 (here L-2 Switch VLAN-3 is connecting in 10G)

------------------------------------------------------------

 

i wnat that all hosts of all VLANs can only access DHCP server beside that inter-VLAN-routing should not happen 

between all the configured VLANs

but in above configuration DHCP relay is perfactly done but all VLANs are able to do inter VLAN routing,

 

please suggest ALC to restract them with example.

 

Occasional Contributor
Posts: 7
Registered: ‎05-23-2014

Re: ACL for inter VLAN routing

[ Edited ]

ip access-list extended DHCPV2 (or whatever you want to name it.)
permit udp 192.168.2.1 0.0.0.255 eq bootpc host 192.168.2.2 eq bootps
deny ip 192.168.2.1 0.0.0.255 192.168.3.1 0.0.0.255

permit ip 192.168.2.1 0.0.0.255 any

interface ethernet ve2
ip access-group DHCPV2 out

 

ip access-list extended DHCPV3
permit udp 192.168.3.1 0.0.0.255 eq bootpc host 192.168.2.2 eq bootps
deny ip 192.168.3.1 0.0.0.255 192.168.2.1 0.0.0.255

permit ip 192.168.3.1/24 any

interface ethernet ve3
ip access-group DHCPV3 out

 

You can also use 100-199 instead of naming the ACL. I personally like using named ACLs. I haven't tested this so please test before implamenting. Let me know how it works for you.

Occasional Contributor
Posts: 11
Registered: ‎04-02-2013

Re: ACL for inter VLAN routing

ramesh1,

 

Did you get your acl tested and implemented?

 

 

- Jonathon

Brocade Consultant
Northeast Ohio
BCNE & BCNP

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.