Reset Search
 

 

Article

How to use an ACL to prevent inter-VLAN traffic for internal subnets but allow internet traffic

« Go Back

Information

 
TitleHow to use an ACL to prevent inter-VLAN traffic for internal subnets but allow internet traffic
Objective
How to use an ACL to prevent inter-VLAN traffic for internal subnets but allow internet traffic.
Environment
  • EXOS
  • Summit
  • BlackDiamond
Procedure
Let's look at the example below:
 
* X670V-48t.12 # show vlan | include vlan
vlan1           4094 10.1.1.1       /24  -f--------------------------- ANY    0 /0   VR-Default
vlan2           4093 192.168.1.1    /24  -f--------------------------- ANY    0 /0   VR-Default

IP forwarding is enabled to allow internet traffic to the default gateway from both VLANs. However, we want to block inter-VLAN traffic between clients in vlan1 and vlan2.

EXOS ACLs are evaluated in order and have an implicit permit at the end. So, two entries will be necessary--one to deny traffic from each source subnet to each destination subnet. All other traffic (i.e. internet traffic) will be permitted:

 
entry entry1 {
  if match all{
      source-address 10.1.1.1/24;
      destination-address 192.168.1.1/24;
  } then {
      deny;
  }
}
entry entry2 {
  if match all{
      source-address 192.168.1.1/24;
      destination-address 10.1.1.1/24;
  } then {
      deny;
  }
}

Once the policy has been created, apply it on ingress to both VLANs. For more details on creating the policy file or applying it to the VLAN, see How to create and apply an ACL in EXOS

Changing the ACL to allow every subnet to internet-access is not easy.
As soon as you allow one subnet towards 0.0.0.0/0 it will also allow intervlan traffic.
The way this ACL is suggested above is the best method. 
 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255