Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎07-09-2013

Problem with VE ACL on ICX7450

Hello,

 

following problem: ACL on VE interface is not working as expected.

 

ICX 7450 SW: Version 08.0.40T213

 

ip route show

4 192.168.100.64/26 DIRECT ve 98 0/0 D 22h54m

6 192.168.110.80/28 DIRECT ve 394 0/0 D 19h37m

 

show running-config interface ve 394

interface ve 394
ip access-group hallowelt in
ip address 192.168.110.81 255.255.255.240
!

 

show ip access-lists hallowelt (STANDARD ACL)

Standard IP access list hallowelt: 1 entry
permit host 192.168.100.67

 

If I try to ping a system within the 192.168.110.80/28 network from the host 192.168.100.67 it isn't working.

I tried to changed the access-list with every possible deny permit any thing but without any success.

 

The only way to get to the system is to disable die ACL on the ve 394 interface or to permit any. Everything else blocks the complete traffic.

 

The goal is to deny all inter VLAN traffic and allow only some hosts.

 

Thanks for any advise

Frequent Contributor
Posts: 105
Registered: ‎07-12-2011

Re: Problem with VE ACL on ICX7450

It's been a while, but try this

 

permit ip host 192.168.100.67 any

deny ip 192.168.100.64 0.0.0.63 192.168.110.80 0.0.0.15

permit ip any any

 

The last line would only apply if you have other traffic outside the blocked subnet that you need in

New Contributor
Posts: 2
Registered: ‎07-09-2013

Re: Problem with VE ACL on ICX7450

I've already tried:

 

Extended IP access list 101: 3 entries
permit ip host 192.168.100.67 any
deny ip 192.168.100.64 0.0.0.63 192.168.110.80 0.0.0.15
permit ip any any

 

I'm sure you meant 192.168.100.64 0.0.0.63 for the network.

 

But this didn't work either ..

 

Is it nessesary to configure an IN and an OUT access-list?

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook