You should qualify this by saying that you are working on the 6024 correct? By default VLAN do not communicate at layer 2 meaning that an L2 switch will not forward packets from one VLAN to another. However since you are using a 6024 (L3 router) and you setup routes, the 6024 will route between the VLANs so you are no longer blocked from communicating between two VLANs.
To make sure that host on one VLAN can access only specific system or specific ports on these systems on another VLAN you need to setup ACLs. As you mentioned there are a number of papers online that explain how ACL works on Dell support site.
What I would suggest is this - try setting up the ACL based on the example that are shown in those papers. Then post what you tried here and explain your difficulties and we'll be able to help you figure out the solution. This will help you understand why something work or not work and will help you in the long run since you have to maintain these switches after all :-).
ACL are applied in order so if the first rule already fit then nothing else will be tried. There is an implicit deny at the end of the set of rules so if you define a set of "permit" rule and nothing else then if none of the permit rule succeed then the implicit deny will take affect.
Here is the section of documents on 6024 that talks about ACL CLI commands:
<ADMIN NOTE: Broken link has been removed from this post by Dell>
Yes the 6024. I've just never worked with ACL's much so I wanted help with priority really. Would I create all my permit statements first (i.e port 80, 443, etc) then put a deny at the end? Because I put a deny first, then made a permit acl for port 80, but web browsing never worked. Im guessing because that first ACL it never got passed.
Id also like to know if there's documentation on commands? For example Im trying to unbind an ACL from an interface, but can only do it through the web interface. If I try "no service-acl input vlan_2" it doesnt work. I always thought "no" in front of commands took them off
Also, what I meant by that last statement is this:
My VLAN2 is on the subnet (10.0.1.0). So, when Im creating ACL's specifiy that are going to be applied to that VLAN only, do I need to specify permit-tcp 10.0.1.0 0.0.0.255 etc etc, or should I just put permit-tcp any any etc etc,
I just figured if that ACL is applied to VLAN2 only, then u can almost just use "ANY" and not need to put 10.0.1.0 everytime as the source.
The paper is actually describing ACL on the 33xx which has a slightly different syntax then the 6024 but the idea is the same. You should refer to the paper for some idea on how ACL works but you need to look at the 6024 documentation for the command to use.
The 33xx permit commands look like this:
permit-tcp { any | source source-wildcard}} { any | source-port} { any | destination destination-wildcard}} { any | destination-port} [dscp dscp number | ip-precedence ip-precedence]
So you can see that the "any" refer to any port.
Not sure I understand the last question but let me guess :-). You are trying to allow traffic from any source on VLAN 2 to any destination access to port 21? If so you could specify any for source and destination and port 21. If you wanted any packet from any source but ONLY to destinate address B and only on port 21 then specify ANY for source and the appropriate IP/mask for destination and port 21 for example.
Anyway, just remember that you are applying the ACL only on ingress so think about what the packet looks like - its source and destination address and think about how to apply the appropriate rule that would result in denying or permitting the packets that you wanted.
Please look at the 6024 documentation which will give you the correct syntax. Also when using the CLI if you put "permit-tcp ?" you will get online help that tell you what parameters you are missing. Please review that information.
Compare that to what you enter and see if you are missing something.
Also review the whitepaper which explain how ACL works. Please note the whitepaper uses 33xx syntax so you must still look at 6024 syntax to correct the commands you find in the paper but the flow is the same.
Ok I really dont get ACL's then. Ive been going over documentation for hours now trying about every combination with no success. All Im trying to do is give VLAN2 (10.0.1.0) access to port 80 (web browsing)
I even tried something simple like:
permit-tcp any any 10.0.0.0 0.0.0.255 80
with no success
10.0.0.1 is our gateway, so Im trying to only make the destination that address rather than ANY. Is my thinking off here Cuong?
:-). Ok think about what this ACL does (permit-tcp any any 10.0.0.0 0.0.0.255 80).
It said you want to allow ANY source address from ANY source port access to destination address only on 10.0.0.0/24 subnet and port 80. Is that what you intended? When you try to access the web server, is the web server (destination IP) running on 10.0.0.0/24 subnet? Or did you intend for the system to get access to ANY web server out on the internet such as Yahoo.com for example. "Yahoo.com" is not likely to be on 10.0.0.0/24 subnet.
So in this case what really do you want it to do? You probably want the workstation on the VLAN 2 to have access TO ANY web servers running on the internet right? But you also don't want it to have access to anything else beside the web server.
So maybe this rule might work - "permit-tcp any any any 80". This said you want any source from any port to any destination but only if the destination port is 80. And remember the implicit deny? So if this rule doesn't match, then the deny rule kicks in and if the system tries to access any other destination port, it is denied.
So is this enough? Maybe not - remember HTTPS doesn't use port 80 so you may need to open up HTTPS port too. What about FTP, you might want to provide access to the FTP ports otherwise you won't be able to download from some sites. There maybe other ports you would open up. Also, is there a DNS server or a DHCP server on the 10.0.0.0/24 subnet that you need to provide access to for the workstations on VLAN 2? If so you need to create rules to specifically give access ONLY to that server on the 10.0.0.0/24 subnet. For example, if your server is 10.0.0.100 then maybe you need a rule like this "permit-tcp any any 10.0.0.100 any" which gives access for all the hosts on VLAN 2 access to the server running at 10.0.0.100 IP address (you could give specific destination port to provide access only to certain services on the server if you like). There are lots of other thing you can do with ACL. Experiment and see what you can do.
I think I gave up back then on this, but now Im attempting again.
I used the permit-tcp any any any 80, and did the same with 53 and 443, setting each priority 1, 2 & 3. Actually I used the web interface to make the rules. Then applied the ACL to VLAN2. Guess what? Doesnt work. All ports still remain open and everything works.
I thought that by permitting all these ports, they would be the only ones open, and then the implicit deny at the end would block everything else, like FTP. However FTP still works when it shouldnt be.
DELL-Cuong N.
1K Posts
0
March 9th, 2006 19:00
Hi again jbilliau :-).
You should qualify this by saying that you are working on the 6024 correct? By default VLAN do not communicate at layer 2 meaning that an L2 switch will not forward packets from one VLAN to another. However since you are using a 6024 (L3 router) and you setup routes, the 6024 will route between the VLANs so you are no longer blocked from communicating between two VLANs.
To make sure that host on one VLAN can access only specific system or specific ports on these systems on another VLAN you need to setup ACLs. As you mentioned there are a number of papers online that explain how ACL works on Dell support site.
What I would suggest is this - try setting up the ACL based on the example that are shown in those papers. Then post what you tried here and explain your difficulties and we'll be able to help you figure out the solution. This will help you understand why something work or not work and will help you in the long run since you have to maintain these switches after all :-).
Cuong.
DELL-Cuong N.
1K Posts
0
March 10th, 2006 13:00
ACL are applied in order so if the first rule already fit then nothing else will be tried. There is an implicit deny at the end of the set of rules so if you define a set of "permit" rule and nothing else then if none of the permit rule succeed then the implicit deny will take affect.
Here is the section of documents on 6024 that talks about ACL CLI commands:
<ADMIN NOTE: Broken link has been removed from this post by Dell>
Cuong.
jbilliau
20 Posts
0
March 10th, 2006 13:00
Yes the 6024. I've just never worked with ACL's much so I wanted help with priority really. Would I create all my permit statements first (i.e port 80, 443, etc) then put a deny at the end? Because I put a deny first, then made a permit acl for port 80, but web browsing never worked. Im guessing because that first ACL it never got passed.
Id also like to know if there's documentation on commands? For example Im trying to unbind an ACL from an interface, but can only do it through the web interface. If I try "no service-acl input vlan_2" it doesnt work. I always thought "no" in front of commands took them off
jbilliau
20 Posts
0
March 10th, 2006 14:00
Message Edited by jbilliau on 03-10-2006 11:23 AM
DELL-Cuong N.
1K Posts
0
March 10th, 2006 14:00
permit-tcp { any | source source-wildcard}} { any | source-port} { any | destination destination-wildcard}} { any | destination-port} [dscp dscp number | ip-precedence ip-precedence]
jbilliau
20 Posts
0
March 10th, 2006 14:00
Message Edited by jbilliau on 03-10-2006 10:26 AM
DELL-Cuong N.
1K Posts
0
March 10th, 2006 16:00
Please look at the 6024 documentation which will give you the correct syntax. Also when using the CLI if you put "permit-tcp ?" you will get online help that tell you what parameters you are missing. Please review that information.
Here is the command from the 6024 documentation:
permit-tcp {any | source source-wildcard } {any | source-port} {any | destination destination-wildcard } {any | destination-port} [dscp dscp-number | ip-precedence ip-precedence]
jbilliau
20 Posts
0
March 10th, 2006 17:00
Ok I really dont get ACL's then. Ive been going over documentation for hours now trying about every combination with no success. All Im trying to do is give VLAN2 (10.0.1.0) access to port 80 (web browsing)
I even tried something simple like:
permit-tcp any any 10.0.0.0 0.0.0.255 80
with no success
10.0.0.1 is our gateway, so Im trying to only make the destination that address rather than ANY. Is my thinking off here Cuong?
DELL-Cuong N.
1K Posts
0
March 10th, 2006 18:00
jbilliau
20 Posts
0
August 1st, 2006 14:00