Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Routing onX450a

Status
Not open for further replies.
dphoneguy24

dphoneguy24

Technical User
Oct 30, 2003
793
US
I have a VLAN that is public on a X450a for aggregation of DSL subscribers - also are 3 private address VLANs on this switch. A sub on the DSL VLAN can ping - see the 3 private VLANs since I need routing enabled.

What would be the easiest way to prevent the DSL VLAN from seeing / contacting the other 3 VLANs?

Thanks
 
Sort by date Sort by votes
You'll have to use an ACL.
What version of XOS are you running?

MCSE CCNA CCDA
 
Upvote 0 Downvote
I would use a Dynamic Access Control list here to keep things easy if you are new to ACLs on ExtremeXOS. It's possible to write a policy file for the ACL's, but you have to be familiar with the Rule Syntax. Dynamic ACL similfies the command structure for you when you are first getting used to Extreme's syntax.

Let's say your three private networks are 10.1.1.0/24, 10.1.2.0/24 and 10.1.3.0/24 and your DSL subs are on 192.168.0.0/16

Step 1 - Create the Access Lists necessary to block ICMP from DSL network subs on 192.168.0.0/16 and a rule to implicitly "permit" all other flows.

create access-list BlockPing-to-10.1.1.0 "protocol icmp;icmp-type echo-request;source-address 192.168.0.0/16;destination-address 10.1.1.0/24" "deny"

create access-list BlockPing-to-10.1.2.0 "protocol icmp;icmp-type echo-request;source-address 192.168.0.0/16;destination-address 10.1.2.0/24" "deny"

create access-list BlockPing-to-10.1.3.0 "protocol icmp;icmp-type echo-request;source-address 192.168.0.0/16;destination-address 10.1.3.0/24" "deny"

create access-list Allow-Other-Flows "source-address 0.0.0.0/0;destination-address 0.0.0.0/0" "permit"

All you have done at this point is created the ACL's, you have not applied them to any ports or VLANs yet.

Step 2 - check that your rules have been created.

* X250e-24p.31 # show access-list dynamic
Dynamic Rules: ((*)- Rule is non-permanent )

BlockPing-to-10.1.1.0 Bound to 0 interfaces for application Cli
BlockPing-to-10.1.2.0 Bound to 0 interfaces for application Cli
BlockPing-to-10.1.3.0 Bound to 0 interfaces for application Cli
Allow-Other-Flows Bound to 0 interfaces for application Cli

Bound to 0 interfaces means the rule exists, but is not applied yet. You can check the fully qualified ACL Rule Syntax on a rule by rule basis:

Step 3 - Verify the individual formatted ACLs in ExtremeXOS syntax. This is really just for you to get familiar with ACL Rule Syntax as you would write it in a policy file. If you were going to do more advanced ACLs in the future this may be the better way to go. SO check out Extreme's syntax.

show access-list dynamic rule BlockPing-to-10.1.1.0
show access-list dynamic rule BlockPing-to-10.1.2.0
show access-list dynamic rule BlockPing-to-10.1.3.0
show access-list dynamic rule Allow-Other-Flows

Step 4 - You can apply the rule to specific ports, but in this case, I would just apply to all ports ingress. It's not going to hurt anything. As soon as you enter these commands you are now applying these rules to all interfaces ingress. ICMP's should stop from DSL subs after this. The "first" indicates order. Meaning add this rule to the "first" or top of the ACL precedence order. The "last" indicates order. Add this rule "last" or at the end of the precedence order.

configure access-list add BlockPing-to-10.1.1.0 first any ingress
configure access-list add BlockPing-to-10.1.2.0 first any ingress
configure access-list add BlockPing-to-10.1.3.0 first any ingress
configure access-list add Allow-Other-Flows last any ingress

Step 5 - Verify that your rule order and precedence are being executed in the order that you want them to:

X250e-24p.8 # show access-list any
#Dynamic Entries ((*)- Rule is non-permanent )
RuleNo Name Application Zone Sub-Zone
1 BlockPing-to-10.1.3.0 Cli SYSTEM 0
2 BlockPing-to-10.1.2.0 Cli SYSTEM 0
3 BlockPing-to-10.1.1.0 Cli SYSTEM 0
4 Allow-Other-Flows
Cli SYSTEM

Be sure to run: save config to save your changes after you have created and applied your new ACL.

BACK OUT PROCEDURES> If you need to remove the ACLs for testing you just reverse the order. First you must remove the ACLs from all ports, then you can delete the ACLs after they have been unassigned/removed/deactivated.

Delete Step 1: Unassign/Remove/Deactivate ACL on all ports

configure access-list delete "BlockPing-to-10.1.1.0" all
configure access-list delete "BlockPing-to-10.1.2.0" all
configure access-list delete "BlockPing-to-10.1.3.0" all
configure access-list delete "Allow-Other-Flows" all

Delete Step 2: Delete ACL entries from ExtremeXOS

delete access-list BlockPing-to-10.1.1.0
delete access-list BlockPing-to-10.1.2.0
delete access-list BlockPing-to-10.1.3.0
delete access-list Allow-Other-Flows

Hope that helps you.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

atascoman
  • Locked
  • Question
Strange issue with routing
Replies
1
Views
110
atascoman
atascoman
SummitX450e
  • Locked
  • Question
Summit X450e Vlan Routing
Replies
2
Views
72
SummitX450e
SummitX450e
ADB100
  • Locked
  • Question
Working example of Policy-Routing?
Replies
0
Views
69
ADB100
ADB100
TDMorIP
  • Locked
  • Question
Source Based Routing with ACL's
Replies
0
Views
48
TDMorIP
TDMorIP
faddyuk
  • Locked
  • Question
Problems routing using X250e 1
Replies
3
Views
100
tanderson3733
tanderson3733

Part and Inventory Search

Sponsor

Back
Top