CommScope RUCKUS Community Forums

whisler_soineus · ‎03-06-2020

Hi guys, I'm experiencing a new problem. I configured an ACL to restrict access from vlans to other vlans, applying it on virtual interface. If The traffic cannot reach the vlans to which the ACL is applying, but the ip address assigned to the virtual interface is still reachable by the traffic coming from the Vlans that are blocked. How can I prevent the ve ip address from accessing by blocked vlans?

netwizz · ‎03-06-2020

Good Day:

The VLANs already restrict Layer-2 traffic "frames" from VLAN to VLAN.

Your ACL you applied directionaly on the VRI (Virtual Router Interface) controls Layer-3 "packets" from traveling Subnet to Subnet.

Yes, I completely realize that placing a an IP /W Mask on a VRI ads that subnet to the device's routing table as a directly-connected route available via that VE interface.

***

Let's say you have this:

vlan 123 name Ruckus-Wireless-Forum-Example by port
untagged ethe 1/1/1 to 1/1/24
router-interface ve 123
!
interface ve 123
 port-name VRI often called SVI by some other vendor whom shall remain nameless
 ip add 10.0.0.1 255.255.255.0
 ip access-group Break-Everything out
 !
ip access-list extended Break-Everything
deny ip any any
!

From any Interface 1/1/1 to 1/1/24, you will STILL be able to transmit data WITHIN Vlan 123, so if you connect two computers say on port 2 and 17 and do an FTP or Windows Workgroup file-copy etc. it will work just the same as if there was no VRI ever assigned.

That said, 10.0.0.1 IS WITHIN Vlan 123, so it will be reachable, too from any IP within that subnet connected 1/1/1 to 1/1/24

Specifically, you need to visualize it mentally as a little-guy standing on that interface inside the router (or switch), and the little guy is ONLY concerned with traffic that actually passes through it whether that traffic is coming IN vs going OUT, the little fellow knows there are two sides to every interface. It's easier to think of it back in the day when routers had IP addresses assigned to physical interfaces; they still can but more and more it is Layer-3 switches all around.

Hope this helps.

whisler_soineus · ‎03-09-2020

Hi,
Thanks you very much for your quick response. I understand very well what you mean. But in my case, I don't want any other vlans that are blocked by a ruler in my ACL get access to router (ve ip address) itself.
The problem is, the concerned vlan is a management vlan and the ACL suppose to permit only hosts in that vlan to connect to the router for managing it. But I've tried with an host in an other vlan and it is able to ping the ve ip address and connect to it using SSH. Furthermore, with this same host I cannot connect to a stack management ip address in the management vlan because is blocked by the ACL.

So, my ACL can prevent stack from accessing by hosts that are in vlans which are not permit to connect to it, but does anything to prevent router (ve interface) from accessing by these same hosts.

This is my problem.....

netwizz · ‎03-11-2020

I am sorry to have not written back sooner and for being somewhat unclear above. The VRI has nothing to do with local traffic within a particular VLAN... It is only used to get off the network by serving as a default-gateway. It can also have IP helpers to listen and forward DHCP.

Conceptually think of it as an old dumb layer-2 switch ( not capable of routing) with a physical interface of a router plugged into a switch interface... and another router interface plugged into another dumb layer-2 switch. Each VLAN contains a collection of interfaces that serve as that conceptual dumb Layer-2 switch. That ve is just like the router interface plugged into your L2 switch. Hold the mental image of this network diagram above:

Switch ——— Router ——— Switch

You state...

“I don’t want other VLANS blocked by a rule to gain access to the router...”

The Access List (your control mechanism) is applied within the router portion of that diagram because where conceptually it is applied to a Layer-3 (routing) interface (the VE). Your controls are IP based controls presumably by IP or subnet on an access-list.
####

You want to restrict management to manage your switch to IPs in the management VLAN..,

There are a LOT of ways to do that. One of the easiest is to remove the management VLANs SVI from the default VRF, so it is not routable from subnets outside. This is in fact what Cisco does for Out-Of-Band-Management out of the box.

If you have devices in this VLAN that need to then get out, you would have to treat this as a separate router and add traditional routing entries how to get to destination subnets via a next hop OR thou could use Policy-Based-Routing to take the source into effect.

The above is probably too complex a way to accomplish what you want though.

Your issue might be the type or location where you apply your access list. In and Out confuses people regularly in that traffic doesn’t travel through interfaces but rather in or out.

Very Important Concept:
If you have management ve 123 and workstations ve 10.., If a management workstation sent packets to a workstation, those packets would come IN on ve 123 and then are processed by the routing table before going OUT of ve 10. That is to say a packet need not ever come out of ve 123 to be inside the router. Additionally said packet need not go into ve 10 to go out of ve 10...

Generally standard ACLs Filter based on source but are typically placed near the destination. Extended ACLs filter based on both source and destination; they are generally placed near the source to drop traffic before it is processed (I.e, routing table).

Easiest Solution:

(Config)#ssh access-group
If it is even an option, I suggest a standard ACL to filter based on source.

whisler_soineus · ‎03-12-2020

Thanks you very much. I understand now what I have to do with this. I will let you know....

CommScope RUCKUS Community Forums

applying acl on ve ip address