Unsolved
This post is more than 5 years old
3 Posts
0
2341
November 29th, 2016 05:00
Dell switch N3048 ACL problem
Hello,
We are trying to setup two N3048 stacked switches and we have trouble with ACLs. We need to define ACLs on every VLAN and thought that rules are applied just in case that packet is leaving vlan or it is entering the vlan but we found out that if there is one pc connected to switch port in vlan and we are trying to create ACL with rule enabling ping to this PC, we also need to create second inbound rule to enable the PC to answer. It looks like switch is applying inbound ACLs also to packets going from PC to switch port. Is it normal?
In this case if I have PC with IP 10.1.180.20 in VLAN 5 and I'm trying to ping it from other vlan (there are no ACLs in other vlan), I need to create:
ACL bound to VLAN 5 as inbound
rule 1
permit ICMP packets from any to 10.1.180.20
rule 2
permit ICMP packets from 10.1.180.20 to any
Is it really like that? If I remove second rule, I'm not able to ping 10.1.180.20 from other VLAN. On router I can use instead of second rule something like permit established connections ...
That you for reaction.
Best regards, Oldrich


DELL-Josh Cr
Moderator
•
9.6K Posts
•
42.7K Points
0
November 29th, 2016 14:00
Hi,
"For all ACL types, the ACL rule can be configured to filter traffic when a packet enters or exits the Ethernet port, LAG, or VLAN interface." Page 72 So it will affect any packets to or from the port. There is an implicit deny at the end of ACLs that deny all traffic that does not specifically meet a permit rule.
OCuda
3 Posts
0
November 29th, 2016 23:00
Hi,
OK I understand. Do you have any advice how to solve situation in environment where every our customer has own vlan. All vlans are routed by N3048 switch and switch is with one vlan connected to real firewall. Basically we need that customers VLANs are separated and customers go just through one vlan do firewall and to internet. Of course there are some exceptions but just few.
I'm not sure if we found out right concept how to setup basic restrictions to separate each vlan and just let each vlan to communicate to firewall.
Thank you for advice. We are changing datacenter and trying to come up with upgraded concept :-)
Best regards, Oldrich
DELL-Josh Cr
Moderator
•
9.6K Posts
•
42.7K Points
0
November 30th, 2016 08:00
Is there a reason why you are putting them on the same VLAN before the firewall? If the firewall supports VLANs it would be better for it to isolate the traffic. Once they are on the same VLAN it is going to want them to communicate with each other. Setting up a MAC based ACL with permits for each may be better for separation if you have to do I this way.
OCuda
3 Posts
0
December 1st, 2016 02:00
No, they are in separate vlans and these vlans are routed to firewall. In most cases vlans doesn't communicate with each other and they just communicate to internet. There are few exceptions where vlans communicate with others.