Ethernet Switches & Routers

New Contributor
Posts: 2
Registered: ‎01-21-2017

ACL for isolating a VLAN

I have already 4 vlans configured in ICX-7750, now i want to create a new vlan on icx-7750 and want that vlan should not communicate with any other vlan. purpose of creating this vlan is to segregate the backup network in our datacenter.


so how can i acheive this, do i need to create a ACL for isolating the new vlan from rest of the traffic. 



Ankur Mishra

Frequent Contributor
Posts: 137
Registered: ‎07-20-2015

Re: ACL for isolating a VLAN

SSH@SWITCHNAME(config)#vlan 1234 name Backup by port


SSH@SWITCHNAME(config-vlan-1234))#untagged ethe x/x/x to x/x/x




Unless you want to trunk it with 802.1q then use "tagged"


Do NOT create the "router ve 1234" interface if you want it private.  Your VLAN is now unreachable by others.  If you setup routing then the VLAN tags get stripped off to route the packet, and a new Layer-2 Frame gets put on...  No privacy doing that.




If you are using the Multi-Layer firmware and make the SVI, and configure it as a directly connected network on then the ICX-7750 will route for its directly connected networks.  Of course, you could then statically let other devices know where to find the network(s) the ICX7750 has or setup dynamic routing protocols such as OSPF to redistribute it.


Regardless at this point if you can control traffic to/from the VLAN with access lists.

Here is how:




For example:


On a device with host, you can stop that traffic from going out.  You could do it on IP.  You could flip the direction to "In" instead of "out"....  You can use the keyword "any" to describe everything etc.



ip access-list extended STOP
deny tcp host eq 8530
permit ip any any
interface ve 1234
ip access-group STOP out



There is an implicit deny, so if you just permit things, whatever you permit gets through and everything else gets denied by defualt.  The above should get the job done.



Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.