Ethernet Switches & Routers

Reply
Contributor
Posts: 40
Registered: ‎01-28-2013
Accepted Solution

Having trouble with applying ACL to ve on incoming traffic - want to allow only specific IPs

I am new to ACLs on Brocade.

I have created an extended acl to permit only one IP address through and assigned the acl to the input of a virtual routing interface, but it blocks all traffic. Config is below.

 

I am testing on a spare FCX648S-HPOE switch running router code (FCXR07202d).

I have two vlans (200 & 201) and two virtual routing interfaces (ve 200 with 192.168.60.1 & ve 201 with 10.1.60.1).

All ports except 1 are tagged in both vlans, dual-mode in vlan 201 (so VoIP phones can hop onto VoIP vlan 200).

Port 1/1/1 is untagged in vlan 200.

I have three network devices connected to this switch:

port 1/1/1 is 192.168.60.2

port 1/1/2 is 10.1.60.2

port 1/1/3 is 10.1.60.3

 

I want to be able to access 192.168.60.2 from 10.1.60.2, but nothing else.

 

I have continuous pings running from 10.1.60.2 and 10.1.60.3, to 192.168.60.2

 

I have created an extended acl 101 like this:

access-list 101 permit ip 10.1.60.2/32 any

 

Then I applied it to the in of the virtual interface that routes traffic to vlan 200, ve 200 like this:

(conf)#int ve 200

(config-vif-200)#ip access-group 101 in

 

When I apply the access-group to the ve 200, pings stop from both 10.1.60.2 and 10.1.60.3. I expected pings to only stop from 10.1.60.3.

 

What am I missing here?

 

config:

SSH@VLAN_ACL_Testing>show runn
Current configuration:
!
ver 07.2.02dT7f3
!
stack unit 1
module 1 fcx-48-poe-port-management-module
module 2 fcx-cx4-2-port-16g-module
!
global-stp
!
!
!
vlan 1 name DEFAULT-VLAN by port
spanning-tree
!
vlan 200 name VoiceVLAN by port
tagged ethe 1/1/2 to 1/1/48
untagged ethe 1/1/1 
router-interface ve 200
!
vlan 201 name dataVLAN by port
tagged ethe 1/1/2 to 1/1/48
router-interface ve 201
!
!
!
!
!
!
!
!
!
!
boot sys fl sec
enable acl-per-port-per-vlan
enable super-user-password .....
hostname VLAN_ACL_Testing
!
cdp run
fdp run
clock timezone gmt GMT-06
no port bootp
interface ethernet 1/1/1
inline power
!
interface ethernet 1/1/2
dual-mode 201
inline power
!
interface ethernet 1/1/3
dual-mode 201
inline power
!

----------break---------
!
interface ethernet 1/1/48
dual-mode 201

inline power
!
interface ve 200
acl-logging

ip access-group 101 in

ip address 192.168.60.1 255.255.255.0
!
interface ve 201
ip address 10.1.60.1 255.255.255.0
!
!
!
access-list 101 permit ip host 10.1.60.2 any
!
end

 

 

Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: Having trouble with applying ACL to ve on incoming traffic - want to allow only specific IPs

Hi John,

    Apply the access list to VE 201 as you are being routed from VE 201 to VE 200 - so VE 200 will see the source IP as VE 201 - I think Smiley Happy

 

Thanks

Michael.

Thanks
Michael
Contributor
Posts: 40
Registered: ‎01-28-2013

Re: Having trouble with applying ACL to ve on incoming traffic - want to allow only specific IPs

After I applied the acccess-group to the ve 201, my 10.1.60.2 device lost it's connection to 10.1.60.1 (also the DHCP server IP in the switch) when 10.1.60.2 tried to renew it's IP address. It seems like applying the access-list to the ve 201 would prevent anything from leaving the 10.1.60.x subnet, as it would have to go through the virtual routing interface of 10.1.60.1 to get anywhere. I would like to just limit access to only the vlan 200, but allow access to other vlans in the future.

 

Should I try it as an outbound acl on the ve 200 interface?

 

it seems to me that there is something fundamental that I am not understanding about acls as I thought it all made perfect since, but it is not working the way that I thought.

 

Does anyone else have a working acl on a virtual routing interface to permit a small list of IPs and deny everything else?

Frequent Contributor
Posts: 144
Registered: ‎11-07-2013

Re: Having trouble with applying ACL to ve on incoming traffic - want to allow only specific IPs

[ Edited ]

Hi John,

    Remember that with an ACL there is a deny always at the end of the ACL. So sometyhing like the below sould do what you what to do - applied to VE 201 in.

 

Extended IP access list 101
permit ip host 10.1.60.2 any
deny ip 10.1.60.0 0.0.0.255 192.168.60.0 0.0.0.255
permit ip any any

 

Thanks

Michael.

Thanks
Michael
Contributor
Posts: 40
Registered: ‎01-28-2013

Re: Having trouble with applying ACL to ve on incoming traffic - want to allow only specific IPs

Michael, That worked like a charm!! Thank you soo much man! I owe you a beer Smiley Happy

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.