04-10-2012 12:02 PM
I need some help checking my logic. I'm working on creating a guest vlan, which will not have access to any internal IP (all private 10.x.x.x and 172.21.x.x.) expect for our DHCP servers and other devices on the guest network and internet access. I created an ACL and applied it to the VE outbound. But it did not seem to block any traffic. I applied to the same ACL inbound and everything is being blocked. Any ideas what I'm doing wrong?
access-list 104 remark Guest_ACL
access-list 104 permit udp any host 10.159.16.5 eq bootps
access-list 104 permit udp any host 172.21.61.240 eq bootps
access-list 104 permit ip any 10.159.55.0 0.0.0.255
access-list 104 deny ip any 10.0.0.0 0.255.255.255
access-list 104 deny ip any 172.21.0.0 0.0.255.255
access-list 104 permit ip any any
interface ve 410
ip address 10.159.55.3/24
ip helper-address 172.21.61.240
ip helper-address 10.159.16.5
ip access-group 104 out
ip vrrp-extended vrid 41
backup priority 120 track-priority 20
track-port ethernet 3/8
04-12-2012 01:19 PM
We are using MLXe. I did some more testing and it looks like all traffic as being blocked when I applied the ACL to both outbound and inbound. I removed the outbound ACL and with the ACL only on the inbound it is working.
I'm still a unclear why the different things where happening. When an ACL is applied to a VE inbound, does that apply to traffic leaving the VE or coming in the VE?
04-13-2012 03:31 AM
Ruleon CES and CER
On Brocade NetIron CES and Brocade NetIron CER devices each port can support one inbound L2 ACL and one inbound IP
ACL. If both an inbound L2 ACL and an inbound IP ACL are bound to the same port, incoming packets will be evaluated first by the IP ACL. Include a “permit any any” statement at the end of the IP ACL, or the implicit deny will prevent any packets not explicitly permitted by the IP ACL from being evaluated by the L2 ACL.
In means packets coming into the interface (or VE) see example below
Brocade(config)# access-list 1 deny 220.127.116.11
Brocade(config)# access-list 1 deny host IPHost1
Brocade(config)# access-list 1 permit any
Brocade(config)# int eth 1/1
Brocade(config-if-e10000-1/1)# ip access-group 1 in
Brocade(config)# write memory
The commands in this example configuree an ACL to deny incoming packets from three source IP addresses from being
forwarded on port 1/1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.
04-13-2012 03:44 AM
Inbound ACL's on a virtual interfaces affect traffic comming towards your router from your servers in that vlan.
Outbound ACL's on a virtual interface affects traffic going from your router towards your server(s) in that vlan.
interface ve 3185
ip address 10.10.10.1/25
no ip redirect
ip access-group ve-traffic
ip access-group v3185 in
ip access-group v3185rdp out
ip vrrp-extended vrid 45
v3185 in :
ip access-list standard v3185
permit 10.10.10.0 0.0.0.127
This access list blocks any traffic -incomming- towards the router/VE which does not match the ip address space of the VE itself. (to prevent any source address spoofing).
ip access-list extended v3185rdp
permit tcp host 10.0.0.10 any eq 3389
deny tcp any any eq 3389
permit ip any any
This access list blocks any traffic -outbound- from your vlan/router towards the servers on protocol 3389 unless it matches 10.0.0.10, and permits the rest.
ps. You can probably ignore the ip access-group ve-traffic , as this enables filtering of traffic switched within a virtual routing interface (ie port x to port y) which might not apply in your case.
ps2. Don't forget to ip rebind-acl ACL_NAME , or ip rebind-acl all , in config mode after you apply any changes.