Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 5
Registered: ‎05-17-2013

ACL for Inter VLAN routing

Hi,

we have a ICX6650 running fastiron R08010a

 

 a DHCP Server (IP 192.168.2.2)which is connected with untagged eth 1/1/15 & a part of VLAN2

we have so many VLAN where DHCP to be relayed, 

 

CX6650-64 Router(config)#vlan 2

ICX6650-64 Router(config)#router interface ve 2

ICX6650-64 Router(config)#int ve 2

ICX6650-64 Router(config-vif-2)#ip address  192.168.2.1

ICX6650-64 Router(config-vif-2)#ip helper-address 1 192.168.2.2

Exit

ICX6650-64 Router(config)#vlan 2

ICX6650-64 Router(config)#tagged eth 1/1/11 (here L-2 Switch VLAN-2 is connecting in 10G)

ICX6650-64 Router(config)#untagged ethernet  1/1/15  (here DHCP server is connecting )

------------------------------------------------------------------------------

 

 

ICX6650-64 Router(config)#vlan 3

ICX6650-64 Router(config)#router interface ve 3

ICX6650-64 Router(config)#int ve 3

ICX6650-64 Router(config-vif-2)#ip address  192.168.3.1

ICX6650-64 Router(config-vif-2)#ip helper-address 1 192.168.2.2

Exit

ICX6650-64 Router(config)#vlan 3

ICX6650-64 Router(config)#tagged eth 1/1/12 (here L-2 Switch VLAN-3 is connecting in 10G)

------------------------------------------------------------

 

i wnat that all hosts of all VLANs can only access DHCP server beside that inter-VLAN-routing should not happen 

between all the configured VLANs

but in above configuration DHCP relay is perfactly done but all VLANs are able to do inter VLAN routing,

 

please suggest ALC to restract them with example.

 

Contributor
Posts: 22
Registered: ‎11-12-2012

Re: ACL for Inter VLAN routing

This is a typical access-list i use for guest wireless. It allows DHCP off of your helper address configured on your gateway, also DNS and allows http, https and a few other ports. Should do what you need.

 

apply it to your vlan interfaces.


ip access-list extended guestwireless
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq bootpc
permit udp any any eq bootps
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
permit tcp any any eq 9443
permit tcp any any eq 8120

Joe Lentine BCNE
Contributor
Posts: 22
Registered: ‎11-12-2012

Re: ACL for Inter VLAN routing

forgot to add. i pulled that off a cisco 4500. The ICX doesnt have some of the names like www and so on, but just use the port numbers.

 

for ex. permit tcp any any eq 80

Joe Lentine BCNE

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Click to Register
Download FREE NVMe eBook