Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎01-21-2017

ACL for isolating a VLAN

I have already 4 vlans configured in ICX-7750, now i want to create a new vlan on icx-7750 and want that vlan should not communicate with any other vlan. purpose of creating this vlan is to segregate the backup network in our datacenter.

 

so how can i acheive this, do i need to create a ACL for isolating the new vlan from rest of the traffic. 

 

Regards

Ankur Mishra

Highlighted
Frequent Contributor
Posts: 122
Registered: ‎07-20-2015

Re: ACL for isolating a VLAN

SSH@SWITCHNAME8#conf t
SSH@SWITCHNAME(config)#vlan 1234 name Backup by port

 

SSH@SWITCHNAME(config-vlan-1234))#untagged ethe x/x/x to x/x/x

 

 

 

Unless you want to trunk it with 802.1q then use "tagged"

 

Do NOT create the "router ve 1234" interface if you want it private.  Your VLAN is now unreachable by others.  If you setup routing then the VLAN tags get stripped off to route the packet, and a new Layer-2 Frame gets put on...  No privacy doing that.

 

****************************

 

If you are using the Multi-Layer firmware and make the SVI, and configure it as a directly connected network on then the ICX-7750 will route for its directly connected networks.  Of course, you could then statically let other devices know where to find the network(s) the ICX7750 has or setup dynamic routing protocols such as OSPF to redistribute it.

 

Regardless at this point if you can control traffic to/from the VLAN with access lists.

Here is how:

 

http://www.brocade.com/content/html/en/configuration-guide/NI_05800a_SECURITY/GUID-27E9216F-9DC4-45E6-8AA7-ED7D9F7CA75A.html

 

 

 

For example:

 

On a device with host 10.1.2.3, you can stop that traffic from going out.  You could do it on IP.  You could flip the direction to "In" instead of "out"....  You can use the keyword "any" to describe everything etc.

 

 

ip access-list extended STOP
deny tcp host 10.1.2.3 eq 8530 10.34.0.0 0.0.255.255
permit ip any any
!
interface ve 1234
ip access-group STOP out
!

 

 

There is an implicit deny, so if you just permit things, whatever you permit gets through and everything else gets denied by defualt.  The above should get the job done.

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.