Filtering VLANS with XOS

[alguien0000]

Hi, I try to do this:
I have 3 vlans: vlan1, vlan2, vlan3, but i need that :
1. vlan1 only can reach vlan3
2. vlan2 can reach vlan1 and vlan3.
3. vlan3 can reach vlan1 and vlan2.

I made this acl but it does not work because deny traffic bidirectional from vlan1 - vlan2.

entry filter {
if {
source-ipaddress <vlan1-ipaddress segment /24>;
destination-ipaddress <vlan2-ipaddress segment /24>;
} then {
deny;
}
}

anybody have a suggest?

regards in advance.

 

[hokage]

Yea, you have to use tow conditions in the Policy. In this case you can use.

1. vlan1 only can reach vlan3
2. vlan2 can reach vlan1 and vlan3.
3. vlan3 can reach vlan1 and vlan2.

YOU HAVE TO APPLY THIS POLICY TO ALL VLANS...

mmm if i don't wrong in egress mode.
------------------------------------------------------------------------------------------------

entry vlan1_to_vlan3 {
if {
source-ipaddress <vlan1-ipaddress segment /24>;
destination-ipaddress <vlan3-ipaddress segment /24>;
} then {
permit;
}
}

entry vlan_2_vlan1_vlan3 {
if {
source-ipaddress <vlan2-ipaddress segment /24>;
destination-ipaddress <0.0.0.0/0>;
} then {
permit;
}
}

entry vlan_3_vlan1_vlan2 {
if {
source-ipaddress <vlan3-ipaddress segment /24>;
destination-ipaddress <0.0.0.0/0>;
} then {
permit;
}
}

entry Deny {
if {
source-ipaddress 0.0.0.0/0;
destination-ipaddress 0.0.0.0/0;
} then {
deny;
}
}

----------------------------------------------------------------------------------------------

 

[alguien0000]

1. THNX.
2. I will try you suggestion.
3. with a PING what do you thing that happend when a ping returns to respective vlan?

(I remember that this lab was EASY... very EASY with Extremeware.) gg.

best regards

 

[hokage]

with the PING(ICMP) it most block that type of traffic.