For more details, please see ourCookie Policy.


Info & Feedback

Reply
Highlighted
New Member
Posts: 1
Registered: ‎12-06-2018

Trouble with ACLs on virtual interface

We're setting up a network with several ICX switches. We've got several VLANs configured, each one associated with a virtual interface. Below is the configuration for VLAN and VE 10 and 20:

vlan 10 name A by port
tagged ethe 1/2/3 ethe 1/2/5 ethe 2/1/32 ethe 2/2/3 ethe 2/2/5
untagged ethe 1/1/48
router-interface ve 10
!
vlan 20 name B by port
tagged ethe 1/2/3 ethe 1/2/5 ethe 2/1/32 ethe 2/2/3 ethe 2/2/5
untagged ethe 1/1/4 to 1/1/6 ethe 2/1/4 to 2/1/6 ethe 2/1/9 to 2/1/10 ethe 2/1/12 ethe 2/1/17 to 2/1/18 ethe 2/1/21 ethe 2/1/23
router-interface ve 20
interface ve 10
ip address 172.16.40.1 255.255.248.0
ip helper-address 1 172.16.17.254
!
interface ve 20
ip address 172.16.16.1 255.255.240.0
Currently, all of the VLANs can talk to eachother, but we want to be able to restrict access to network resources on a per-VLAN basis.

I'm trying to set up a layer 3 ACL so that VLAN 10 can *only* be accessed from VLAN 20. So I created the following access lists:

ip access-list extended "A ACL IN"
permit ip 172.16.16.0 0.0.15.255 any
deny ip any any
!
ip access-list extended "A ACL OUT"
permit ip any 172.16.16.0 0.0.15.255
deny ip any any
When adding these ACLs to VE 10:

interface ve 10 ip access-group "A ACL IN" in
interface ve 10 ip access-group "A ACL OUT" out
Suddenly VLAN 10 can't access anything on VLAN 20 and vice versa. Can anyone see what I'm doing wrong here?

 

External Moderator
Posts: 5,541
Registered: ‎02-23-2004

Re: Trouble with ACLs on virtual interface

@jaikapoor

 

ICX Switch line was acquired by Ruckus, please post your question on their Ruckus Community

TechHelp24

Join the Broadcom Community

Get quick and easy access to valuable resources across the Broadcom Community Network.