Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 15
Registered: ‎09-01-2011

ACL on VE

Hello,

I need some help checking my logic.  I'm working on creating a guest vlan, which will not have access to any internal IP (all private 10.x.x.x and 172.21.x.x.) expect for our DHCP servers and other devices on the guest network and internet access.  I created an ACL and applied it to the VE outbound.  But it did not seem to block any traffic.  I applied to the same ACL inbound and everything is being blocked.  Any ideas what I'm doing wrong?

access-list 104 remark Guest_ACL

access-list 104 permit udp any host 10.159.16.5 eq bootps

access-list 104 permit udp any host 172.21.61.240 eq bootps

access-list 104 permit ip any 10.159.55.0 0.0.0.255

access-list 104 deny ip any 10.0.0.0 0.255.255.255

access-list 104 deny ip any 172.21.0.0 0.0.255.255

access-list 104 permit ip any any

interface ve 410

port-name Guest-MOV

ip address 10.159.55.3/24

ip helper-address 172.21.61.240

ip helper-address 10.159.16.5

ip access-group 104 out

ip vrrp-extended vrid 41

  backup priority 120 track-priority 20

  ip-address 10.159.55.1

  advertise backup

  track-port ethernet 3/8

  short-path-forwarding

  activate

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: ACL on VE

Hi Timothy,

     Please let us know what switch you have, as not all switches support both inbound and outbound ACL's.

Thanks

Michael.

Occasional Contributor
Posts: 15
Registered: ‎09-01-2011

Re: ACL on VE

Hey Michael,

We are using MLXe.  I did some more testing and it looks like all traffic as being blocked when I applied the ACL to both outbound and inbound.  I removed the outbound ACL and with the ACL only on the inbound it is working. 

I'm still a unclear why the different things where happening.  When an ACL is applied to a VE inbound, does that apply to traffic leaving the VE or coming in the VE?

Thanks,

Tim

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: ACL on VE

Hi Tim,

 

Ruleon CES and CER

On Brocade NetIron CES and Brocade NetIron CER devices each port can support one inbound L2 ACL and one inbound IP
ACL. If both an inbound L2 ACL and an inbound IP ACL are bound to the same port, incoming packets will be evaluated first by the IP ACL. Include a “permit any any” statement at the end of the IP ACL, or the implicit deny will prevent any packets not explicitly permitted by the IP ACL from being evaluated by the L2 ACL.

 

In means packets coming into the interface (or VE) see example below

Brocade(config)# access-list 1 deny 209.157.29.12

Brocade(config)# access-list 1 deny host IPHost1

Brocade(config)# access-list 1 permit any

Brocade(config)# int eth 1/1

Brocade(config-if-e10000-1/1)# ip access-group 1 in

Brocade(config)# write memory

The commands in this example configuree an ACL to deny incoming packets from three source IP addresses from being
forwarded on port 1/1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.

Occasional Contributor
Posts: 6
Registered: ‎07-29-2011

Re: ACL on VE

Hi,

Inbound ACL's on a virtual interfaces affect traffic comming towards your router from your servers in that vlan.
Outbound ACL's on a virtual interface affects traffic going from your router towards your server(s) in that vlan.

For example:

interface ve 3185

ip address 10.10.10.1/25

no ip redirect

ip access-group ve-traffic

ip access-group v3185 in

ip access-group v3185rdp out

ip vrrp-extended vrid 45

  backup

  ip-address 10.10.10.1

  advertise backup

  activate

!


v3185 in :

ip access-list standard v3185

permit 10.10.10.0 0.0.0.127

!

This access list blocks any traffic -incomming- towards the router/VE which does not match the ip address space of the VE itself. (to prevent any source address spoofing).

v3185rdp out:

ip access-list extended v3185rdp

  permit tcp host 10.0.0.10 any eq 3389

  deny tcp any any eq 3389

  permit ip any any

This access list blocks any traffic -outbound- from your vlan/router towards the servers on protocol 3389 unless it matches 10.0.0.10, and permits the rest.

ps. You can probably ignore the ip access-group ve-traffic , as this enables filtering of traffic switched within a virtual routing interface (ie port x to port y) which might not apply in your case.
ps2. Don't forget to ip rebind-acl ACL_NAME , or ip rebind-acl all , in config mode after you apply any changes.

-Stefan

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook